--- Day changed Tue Jan 01 2013 00:11 -!- joshie [~josh@joshie.net] has joined #openvpn 00:16 -!- brute11k [~brute11k@89.249.230.165] has joined #openvpn 01:34 -!- kyrix [~ashley@97-113-114-23.tukw.qwest.net] has joined #openvpn 01:57 -!- konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 02:04 -!- joshie [~josh@joshie.net] has quit [Ping timeout: 245 seconds] 02:06 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 02:13 -!- joshie [~josh@joshie.net] has joined #openvpn 02:38 -!- kyrix [~ashley@97-113-114-23.tukw.qwest.net] has quit [Quit: Ex-Chat] 03:14 -!- konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 03:31 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 03:46 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds] 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has joined #openvpn 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has quit [Client Quit] 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has joined #openvpn 03:51 -!- |PaSa| [lamest@2a01:7e00::f03c:91ff:feae:c042] has left #openvpn [] 04:16 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 04:50 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 04:50 -!- highend [~highend@46.249.58.73] has left #openvpn [] 04:56 -!- cosmicgate- [~minasan@46.228.205.104] has joined #openvpn 06:00 -!- sauce [sauce@ool-ad02adcb.dyn.optonline.net] has joined #openvpn 06:00 -!- sauce [sauce@ool-ad02adcb.dyn.optonline.net] has quit [Changing host] 06:00 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 06:20 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has joined #openvpn 06:46 -!- brute11k [~brute11k@89.249.230.165] has quit [Read error: Operation timed out] 06:56 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 07:00 -!- brute11k [~brute11k@89.249.230.165] has joined #openvpn 07:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 07:25 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 07:27 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 07:29 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has quit [Ping timeout: 252 seconds] 07:31 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has joined #openvpn 07:35 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 07:56 -!- awdjadj [~IceChat77@91.225.135.254] has joined #openvpn 08:01 -!- Porkepix [~Porkepix@81-67-102-99.rev.numericable.fr] has quit [Ping timeout: 255 seconds] 08:02 -!- awdjadj [~IceChat77@91.225.135.254] has quit [Quit: Hard work pays off in the future, laziness pays off now] 08:27 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 08:33 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 255 seconds] 08:33 -!- cosmicgate- [~minasan@46.228.205.104] has quit [Ping timeout: 260 seconds] 08:34 -!- cosmicgate- [~minasan@46.228.205.104] has joined #openvpn 08:37 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 08:59 -!- cosmicgate- [~minasan@46.228.205.104] has quit [Ping timeout: 245 seconds] 09:02 -!- cosmicgate- [~minasan@46.228.205.104] has joined #openvpn 09:12 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds] 09:14 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 09:14 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 09:37 -!- cosmicgate- [~minasan@46.228.205.104] has quit [Ping timeout: 276 seconds] 09:40 -!- afuentes [~afuentes@188.84.110.5] has joined #openvpn 09:49 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has joined #openvpn 09:50 -!- moore1 [~moore@41.206.15.33.vgccl.net] has joined #openvpn 09:53 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has quit [Client Quit] 10:09 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 10:20 -!- master_of_master [~master_of@p57B5412B.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:22 -!- master_of_master [~master_of@p57B55644.dip.t-dialin.net] has joined #openvpn 10:33 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 10:45 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has joined #openvpn 11:47 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 12:26 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 12:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 12:29 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 12:30 -!- moore1 [~moore@41.206.15.33.vgccl.net] has quit [Ping timeout: 252 seconds] 12:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:36 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has joined #openvpn 12:36 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has quit [Changing host] 12:36 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:42 -!- Porkepix [~Porkepix@81-67-100-9.rev.numericable.fr] has quit [Ping timeout: 255 seconds] 13:07 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 13:08 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 13:08 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 13:08 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 13:08 -!- mode/#openvpn [+o krzee] by ChanServ 13:27 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:31 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 13:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has joined #openvpn 14:07 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit] 14:13 -!- ezhangin [~ezhangin@c-98-215-78-17.hsd1.in.comcast.net] has joined #openvpn 14:13 < ezhangin> hey guys 14:14 < ezhangin> i'm getting the possible route subnet conflict with the warning as WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] except the remote LAN should be 192.168.144.0/24 14:14 < ezhangin> no idea why it isn't showing as that 14:18 < pppingme> paste your config 14:20 < ezhangin> sure 14:20 < ezhangin> this works from my phone weirdly 14:21 < ezhangin> http://pastebin.com/pEvM0fTA 14:21 < ezhangin> if i use my phone as the internet source 14:23 < pppingme> I meant the server config.. 14:24 < ezhangin> uh it's a synology let me see how to get that 14:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:26 < pppingme> you've got openvpn running on a synology nas? 14:27 < ezhangin> yeah it comes preinstalled 14:27 < ezhangin> it works when i use my phone as an internet source but not this network 14:27 < ezhangin> so weird 14:27 < ezhangin> i'm actually connected to the remote network just fine but i can't get to any of the machines because it is listing a conflict 14:27 < ezhangin> which doesn't make any sense 14:28 < pppingme> when you use your phone, you don't get the message, can you get to the remote network then? 14:29 < ezhangin> i can check 14:31 < ezhangin> brb swapping internet source 14:35 -!- ezhangin [~ezhangin@c-98-215-78-17.hsd1.in.comcast.net] has quit [Ping timeout: 245 seconds] 14:35 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 14:35 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 14:35 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 14:35 -!- mode/#openvpn [+o krzee] by ChanServ 14:40 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 255 seconds] 14:46 -!- brute11k [~brute11k@89.249.230.165] has quit [Ping timeout: 260 seconds] 14:46 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn 14:50 -!- brute11k [~brute11k@89.249.230.165] has joined #openvpn 14:53 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 14:53 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 14:53 -!- inimino [~inimino@oftn/board/inimino] has quit [Ping timeout: 248 seconds] 14:54 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Excess Flood] 14:55 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 14:58 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 15:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:00 -!- mode/#openvpn [+v s7r] by ChanServ 15:00 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Changing host] 15:00 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn 15:00 <+s7r> happy new year to all openvpn community ! ! ! 15:10 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has joined #openvpn 15:10 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has quit [Changing host] 15:10 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:15 < M4rc3l> happy new year s7r 15:16 -!- afuentes [~afuentes@188.84.110.5] has quit [Remote host closed the connection] 15:16 <+s7r> sa traim bine 15:20 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 15:21 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Ping timeout: 255 seconds] 15:31 -!- m0sphere [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 15:43 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has quit [Read error: Connection reset by peer] 15:46 < m0sphere> I'm having issues with connecting to the internet from my win7 machine connected to my openvpn server and I believe it has something to do with iptables. I am unable to resolve hostnames, ping ip addresses, or do anything from the win7 machine when connected. here is my ifconfig, route -n, iptables postrouting chain and ipconfig from the windows 7 box http://pastebin.com/kE0qPv8B 15:47 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has joined #openvpn 15:49 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has quit [Client Quit] 16:02 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds] 16:09 -!- MaxeyPad [~MaxeyPad@96-29-230-119.dhcp.insightbb.com] has quit [Ping timeout: 252 seconds] 16:37 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 16:38 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 16:54 -!- inimino [~inimino@oftn/board/inimino] has joined #openvpn 16:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:58 < kisom> m0sphere: Did you enable ipv4_forwarding? :) 17:02 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has joined #openvpn 17:02 -!- ade_b [~Ade@koln-4d0dd7d8.pool.mediaWays.net] has quit [Changing host] 17:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 17:03 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 17:09 < m0sphere> i figured it out 17:09 < m0sphere> client was missing comp-lzo, 17:20 -!- MaxeyPad [~MaxeyPad@96-29-230-119.dhcp.insightbb.com] has joined #openvpn 17:30 <@krzee> m0sphere, for next time: 17:30 <@krzee> !redirect 17:30 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:30 <@vpnHelper> http://ircpimps.org/redirect.png 17:30 <@krzee> the flowchart at the end =] 17:30 <@krzee> i was too late tho 17:32 < m0sphere> ty 17:32 <@krzee> np 17:32 < m0sphere> i'm sure this wont be the last openvpn server i set up and frustrate myself with 17:34 <@EugeneKay> !refund 17:35 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has joined #openvpn 17:35 <@EugeneKay> D'awww, this bot doesn't know it. 17:39 -!- medusaXX [~medusaxx@vpn-147-149.vpn.uni-mannheim.de] has joined #openvpn 17:39 < medusaXX> !welcome 17:39 < medusaXX> !goal 17:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 17:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:40 < medusaXX> is there an estimate how big the openvpn bandwidth overhead is due to encryption etc? 17:44 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has joined #openvpn 18:05 <@krzee> not that i know of 18:05 <@krzee> ild expect it to vary a bit depending on the traffic 18:06 <@krzee> since the overhead is per packet, not per byte 18:14 < medusaXX> hm ok 18:14 < medusaXX> makes sense 18:23 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 18:35 -!- cosmicgate- [~minasan@216.17.109.26] has joined #openvpn 18:42 -!- hjf [~hjf@184-0-17-190.fibertel.com.ar] has quit [Ping timeout: 276 seconds] 18:42 -!- medusaXX [~medusaxx@vpn-147-149.vpn.uni-mannheim.de] has quit [] 19:11 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 19:20 -!- hjf [~hjf@184-0-17-190.fibertel.com.ar] has joined #openvpn 19:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:40 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Quit: Leaving] 20:37 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 20:38 -!- cosmicgate- [~minasan@216.17.109.26] has quit [Ping timeout: 264 seconds] 20:50 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [] 20:51 -!- cosmicgate- [~minasan@216.17.109.26] has joined #openvpn 20:52 -!- F^4 [~FFForever@unaffiliated/ffforever] has joined #openvpn 20:56 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 21:04 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 21:05 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 21:10 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 21:10 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 21:21 -!- dli [~dli@64.231.53.50] has quit [Remote host closed the connection] 21:39 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has quit [Ping timeout: 255 seconds] 21:48 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 21:49 < staticsafe> !welcome 21:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:49 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:49 < staticsafe> !howto 21:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:55 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 22:11 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 22:26 -!- brute11k [~brute11k@89.249.230.165] has quit [Ping timeout: 265 seconds] 22:36 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 22:38 < kisom> !iporder 22:38 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 22:39 < kisom> !ipp 22:39 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 22:43 -!- gardar [~gardar@gardar.net] has quit [Remote host closed the connection] 22:46 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Remote host closed the connection] 22:48 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 22:53 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 22:54 -!- cosmicgate- [~minasan@216.17.109.26] has quit [Ping timeout: 255 seconds] 22:57 -!- cosmicgate- [~minasan@198.147.22.172] has joined #openvpn 22:57 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 23:02 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 260 seconds] 23:04 -!- cosmicgate- [~minasan@198.147.22.172] has quit [Ping timeout: 245 seconds] 23:07 -!- cosmicgate- [~minasan@216.17.109.26] has joined #openvpn 23:13 < pppingme> !iporder 23:13 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 23:14 < pppingme> !static 23:14 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 23:22 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 23:22 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 23:22 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 23:22 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:22 -!- mode/#openvpn [+o krzee] by ChanServ 23:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 23:29 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 23:30 -!- cosmicgate- [~minasan@216.17.109.26] has quit [Ping timeout: 276 seconds] 23:32 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 23:34 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 276 seconds] --- Day changed Wed Jan 02 2013 00:20 < kisom> I'm wondering how D-link is even running a business... 00:21 < kisom> Seems their recent Linux based firmware does not allow the WAN DHCP reply in iptables. So it brings down the network, and then some script runs that allows the DHCP response, and then everything is brought up again 00:22 < kisom> Which causes all connections to drop once an hour when the DHCP lease expires :D 00:22 < kisom> Do not buy Dlink! 00:22 <+pekster> Or just flash another OS like OpenWRT on it :P 00:23 <+pekster> FWIW, -m conntrack --ctstate ESTABLISHED will allow return DHCP traffic :P 00:25 < kisom> Not compatible 00:26 <+pekster> -m state --state ESTABLISHED will work too 00:26 < kisom> The problem is within the INPUT chain 00:26 < kisom> It drops traffic to the router itself 00:27 <+pekster> Sure. I don't do anything special for my DHCP traffic on my OpenWRT device. '-A INPUT -m state --state ESTABLISHED,RELATED' is good enough 00:27 <+pekster> Broken firewall rulesets are a dime a dozen 00:27 < kisom> Yeah, but this is vanilla Dlink firmware 00:27 < kisom> I just plugged it in 00:27 <+pekster> Yup 00:28 <+pekster> And this is why I run my own firewalls :P 00:28 <+pekster> I'd kinda like to find more FOSS stuff to seed just to run more connections through my hardware with 16M of RAM :P 00:29 <+pekster> DHCP leases can do fun stuff to OpenVPN too, depending on DHCP and ovpn configuration 00:48 -!- MaxeyPad_ [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 00:51 -!- MaxeyPad [~MaxeyPad@96-29-230-119.dhcp.insightbb.com] has quit [Ping timeout: 260 seconds] 01:06 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Read error: Connection reset by peer] 01:08 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:09 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has quit [Ping timeout: 260 seconds] 01:16 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has joined #openvpn 01:31 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 01:32 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 255 seconds] 01:33 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 01:35 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 265 seconds] 01:53 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:43 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 02:52 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has quit [Quit: valparaiso] 02:53 -!- cosmicgate-- [~minasan@113.210.99.116] has joined #openvpn 02:55 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 255 seconds] 03:00 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 03:02 -!- cosmicgate-- [~minasan@113.210.99.116] has quit [Ping timeout: 255 seconds] 03:03 -!- cosmicgate- [~minasan@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Client Quit] 03:14 -!- emate [~marcin@81.219.183.142] has joined #openvpn 03:14 < emate> Hi! I Have a problem with my ccd & ifconfig-push configuration. 03:14 <@krzee> !ifconfig-push 03:15 <@krzee> err 03:15 <@krzee> !static 03:15 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 03:15 < emate> I have ifconfig-push ifconfig-push 10.99.0.110 10.99.0.109 03:15 < emate> in ccd file 03:15 < emate> but, another client 03:15 -!- brute11k [~brute11k@89.249.230.92] has joined #openvpn 03:15 < emate> gets the same subnet 03:16 <@krzee> try giving static ips in a different subnet from your pool? 03:17 <@krzee> imagine this 03:17 <@krzee> if you have a dhcp network, giving ips 100-200 03:18 <@krzee> then you start plugging a bunch in 03:18 < emate> openvpn is handling dhcp 03:18 < emate> for clients 03:18 <@krzee> then you bring in a machine and program it a static ip of .100 03:18 <@krzee> what would happen? 03:18 <@krzee> but, you wouldnt do that… because you know to give static ips outside your dhcp pool 03:18 <@krzee> so do the same with openvpn 03:19 <@krzee> =] 03:19 < emate> so should i add new "route xxx.xxx.xx.xxx" line to my openvpn server 03:19 < emate> and assign addresses from this subnet? 03:19 <@krzee> you want some static and some not, right? 03:20 < emate> yes 03:20 <@krzee> yes, that is one way 03:20 <@krzee> another would be a client-connect script 03:20 <@krzee> !iporder 03:20 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 03:22 <@krzee> the first isn easier if you dont code 03:22 < emate> i already have client-connect script for iptables rules (acl), so i will use new subnet for static ips. 03:22 <@krzee> is* 03:22 <@krzee> oh ya? 03:22 <@krzee> if you already have a script which you coded it shouldnt be too hard 03:23 <@krzee> but ya the first method is quite easy too =] 03:24 < emate> if i use 'another subnet & ccd' method, will static-ip from ccd be visible in client-connect script? 03:24 <@krzee> be visible? 03:24 <@krzee> you mean like as a variable? 03:24 < emate> yes 03:24 <@krzee> no, unless you choose to read it in like any script could 03:25 <@krzee> so it wouldnt be passed by openvpn, but its quite available 03:26 < F^4> G'day 03:26 < emate> right now i assign ipbales rules for client based on ENV['ifconfig_pool_remote_ip'] 03:26 < F^4> Is it possible to vpn a vpn for a faster cross-alantic uplink? 03:27 <@krzee> if you happen to have properly positioned servers, it is possible 03:27 <@krzee> sometimes by forcing your link a certain direction you get a faster route than would have happened naturally 03:28 <@krzee> you should not EXPECT this to happen, but it can happen 03:28 <@krzee> (which i know from personal experience) 03:28 < F^4> I figure a LA vpn -> uk vpn -> web should be faster than me -> uk vpn -> web.. no? 03:28 < emate> so, if i define static-ip for client in ccd dir, will client-connect script know what ip is defined in ccd dir? 03:29 <@krzee> F^4, impossible to know, you could get lucky 03:29 <@krzee> emate, as i said, only if you tell it to look for that in your script 03:30 <@krzee> they are 2 different ways to do it, a client-connect script overrides ccd ip addressing 03:30 < emate> krzee: ok, so i have to scan ccd dir in my client-connect script, right? 03:30 <@krzee> however any script could read the info in your ccd files, so it can be done 03:30 <@krzee> right 03:30 <@krzee> or you could make a more simple method in a single file 03:31 <@krzee> since its your script, you can store the data any way you like 03:31 <@krzee> including a db if you feel so inclined 03:31 <@krzee> F^4, ill share an anecdote with ya 03:31 <@krzee> i live in the caribbean on 3rd world internet, with servers in the usa 03:32 <@krzee> i used to have a server in florida which had great international links, and great links to the usa as well 03:32 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:32 <@krzee> when i redirected through that server, i had a better connection to usa than if i used the normal route my ISP gave me 03:34 < F^4> I just figured 2 1gbps connections would do a better job than my 10mbps connection hehe 03:34 < F^4> brb 03:34 <@krzee> i have redirected through many servers, and have only noticed benefit with that 1 server 03:35 <@krzee> F^4, in the end its still only a 10mps connection 03:35 <@krzee> the connections are between you and the internet, not your vpn servers and the internet 03:35 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 03:36 <@krzee> you're just adjusting your route (which normally adds hops and increases latency) 03:37 -!- Devastator [~devas@177.18.197.127] has joined #openvpn 03:37 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:37 <@krzee> however if you can test, go for it 03:38 < emate> krzee: ok, i see, i'll try to do this in client-connect script 03:39 < emate> krzee: thanks for help 03:40 -!- Devastator [~devas@177.18.197.127] has quit [Changing host] 03:40 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 03:41 < F^4> krzee, Like I said I have it all setup, but the one vpn isn't forwarding to the other one 03:44 <@krzee> emate, no problem, maybe if you get it working you could share it back on our wiki for the next guy =] 03:44 <@krzee> F^4, everything you need to understand is here: 03:44 <@krzee> !route 03:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 03:45 <@krzee> but you will need to really understand it 03:45 <@krzee> and treat any subnet behind the other peer as a "lan" 03:46 <@krzee> i call what you are doing vpnchains 03:46 <@krzee> i generally dont support it, but i wrote !route after figuring out how to do it 03:47 <@krzee> !serverlan 03:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 03:47 <@krzee> !clientlan 03:47 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 03:47 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 03:47 <@krzee> theres some flowcharts for troubleshooting lans behind openvpn 03:47 <@krzee> if you remember and treat any subnet behind the other peer as a "lan" then the flowcharts should help 03:48 <@krzee> if you get stuck, tcpdump is your friend, use it everywhere on the tun devices 03:56 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 04:00 -!- niervol1 [~krystian@193.106.244.150] has joined #openvpn 04:00 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has quit [Client Quit] 04:01 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 04:01 -!- niervol [~krystian@193.106.244.150] has quit [Ping timeout: 260 seconds] 04:09 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 04:09 < oskie> hello. is it normal for OpenVPN to assign all clients the same IP address? 04:10 < oskie> (with tun config) 04:10 <@krzee> no, you need to use different certs for each client 04:10 <@krzee> you are only using 1 now, for testing, right? 04:10 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Remote host closed the connection] 04:11 -!- valparaiso is now known as valparaiso_reset 04:11 -!- valparaiso_reset is now known as valparaiso 04:11 < oskie> krzee: I'm using openvpn-auth-ldap and client-cert-not-required 04:11 <@krzee> oh 04:11 <@krzee> !authpass 04:11 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 04:11 <@krzee> use username-as-common-name 04:12 < oskie> yeah, I'm using that too, but clients still receive the same IP... is that normal? I mean, does routing even work? 04:12 < oskie> or something is very wrong 04:12 <@krzee> no, they must be bumping eachother off 04:12 <@krzee> lemme see your server config 04:13 < oskie> yeah because that's what I think is happening right now 04:13 -!- amir_ [~amir@unaffiliated/amir] has joined #openvpn 04:13 < oskie> hmm should I paste it somewhere? 04:13 <@krzee> yep 04:13 <@krzee> without all the comments if it has them 04:14 <@krzee> type !configs if you need to know how to strip them 04:16 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has left #openvpn [] 04:17 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 04:18 -!- brute11k [~brute11k@89.249.230.92] has quit [Ping timeout: 260 seconds] 04:18 < oskie> hmm but I use client config files as well 04:18 < oskie> let's use pastebin or something, wait 04:19 < oskie> http://pastebin.com/t6EyL0pL 04:19 -!- amir_ [~amir@unaffiliated/amir] has quit [Ping timeout: 256 seconds] 04:20 <@krzee> perfect 04:20 <@krzee> and the ccd file[s] 04:21 < oskie> they are simple: there is one file for each access level. they have one line: ifconfig-push 10.9.x.1 10.9.x.2 04:21 < oskie> and there are multiple users for each group (maybe that's the problem) 04:21 <@krzee> 10.9.1.0 and 10.9.2.0 are behind clients and 10.8.0.0/16 is behind the server, right? 04:21 < oskie> yep! 10.9.0.0 is client as well 04:22 <@krzee> let me see a server log at verb 4 with a client connecting, then another connecting 04:23 <@krzee> you can hide public ips if you like 04:23 < oskie> that's going to be a lot of text... 04:23 <@krzee> yes, it is 04:23 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 04:23 <@krzee> pastebin wont mind ;] 04:25 < oskie> but let me first ask: can I even use ifconfig-push 10.9.1.1 10.9.1.2 for two different users? will they not get the same IP? 04:25 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 04:26 <@krzee> definitely dont do that 04:26 <@krzee> i dont know what will happen 04:26 < oskie> ok then that's my problem 04:27 < oskie> but I can't seem to use ifconfig-pool in the client config files 04:27 <@krzee> right 04:27 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Quit: leaving] 04:28 <@krzee> you can code a client-connect script if you need that flexibility 04:28 < oskie> so is there a way to dynamically assign multiple users to a different subnet than the default 04:28 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 04:28 <@krzee> !iporder 04:28 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 04:28 < oskie> ah, ok 04:30 < oskie> if I make such a script, I need to figure out how to dynamically select IPs 04:30 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds] 04:30 < oskie> and then write that as "ifconfig-push X Y" in the tmpfile? 04:30 <@krzee> right 04:31 <@krzee> dynamic selection should be easy enough, 6, 10, 14, 18 etc etc 04:31 < oskie> and that's "ifconfig-push SERVERIP CLIENTIP" right? 04:31 <@krzee> oh and 1 since its not the servers subnet 04:31 <@krzee> !static 04:31 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 04:32 <@krzee> clientip serverip 04:32 <@krzee> well kinda 04:32 < oskie> ah ok! 04:32 <@krzee> clientip internal-to-openvpn-ip 04:32 <@krzee> which represents the server ip for routing purposes 04:32 < oskie> but both need to be dynamic? I can't use the same serverip for all clients, can I? 04:33 <@krzee> both change 04:33 <@krzee> .2 .1 .6 .5 .10 .9 04:33 -!- amir_ [~amir@unaffiliated/amir] has joined #openvpn 04:33 < oskie> hm, you're skipping .4 and .3? 04:34 <@krzee> skipping 4 04:34 <@krzee> the 3 was you doing math bad ;] 04:36 <@krzee> in your topology, if it is ifconfig-push x y, then y is always 1 less than x 04:36 <@krzee> and they both increase by 4 to the next /30 04:36 <@krzee> !/30 04:36 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 04:36 < oskie> ah ok 04:37 <@krzee> you dont want to use topology subnet 04:37 < oskie> now I just need to code a client-connect script that checks user group in Active Directory and assigns IP based on that 04:37 < oskie> why not topology subnet? 04:37 <@krzee> because clients can change their ip with ifconfig 04:37 < oskie> ah ok 04:37 <@krzee> however with net30 (default) they cant reach the server after doing so 04:38 <@krzee> since you are doing a lot based on ip, that is important 04:38 <@krzee> (i assume the seperation of subnets is for firewall rules) 04:39 < oskie> does that mean that a user can disrupt another user by changing his IP in topology=subnet? 04:39 < oskie> or I mean in topology mode 04:39 <@krzee> you said it right, topology subnet 04:40 <@krzee> and i dont know, may as well test it though :D 04:49 < oskie> great, I think that did it. many thanks krzee! 04:49 <@krzee> yw =] 04:50 < oskie> is it possible to for two openvpn instances to share the same --server ip address? 04:50 <@krzee> no 04:50 < oskie> ok, good 04:51 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:03 < pppingme> as in the ip's assigned to clients? no 05:11 -!- gardar [~gardar@gardar.net] has joined #openvpn 05:14 -!- smooc [~smooc@62.28.98.58] has joined #openvpn 05:23 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Remote host closed the connection] 05:31 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:42 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:46 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 05:46 < videl> Hi 05:57 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 06:04 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Read error: No route to host] 06:07 -!- pi_ [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 06:07 -!- pi_ is now known as videl 06:07 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 06:10 -!- brute11k [~brute11k@89.249.231.11] has joined #openvpn 06:20 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 06:22 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 265 seconds] 06:45 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 07:00 -!- smooc [~smooc@62.28.98.58] has quit [Read error: Connection reset by peer] 07:17 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has joined #openvpn 07:17 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has quit [Changing host] 07:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:39 -!- brute11k [~brute11k@89.249.231.11] has quit [Ping timeout: 240 seconds] 08:02 -!- mattock_afk is now known as mattock 08:03 -!- brute11k [~brute11k@89.249.231.106] has joined #openvpn 08:12 < fys> ugh .. today i go to the dentist for the first time in around 4 years. 08:22 -!- m0sphere [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 08:23 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 08:23 -!- moore1 [~moore@41.206.15.31.vgccl.net] has joined #openvpn 08:28 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 08:36 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 08:37 -!- smooc [~smooc@62.28.98.58] has joined #openvpn 08:48 -!- Porkepix [~Porkepix@dispo-82-248-141-132.adsl.proxad.net] has quit [Ping timeout: 245 seconds] 08:50 -!- emate [~marcin@81.219.183.142] has quit [Quit: leaving] 08:50 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has joined #openvpn 08:57 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has joined #openvpn 08:58 -!- moore1 [~moore@41.206.15.31.vgccl.net] has quit [] 08:59 < dvl-_> I have a working OpenVPN 2.2.2 routed solution on FreeBSD 8.2 and now I'm trying to make it run as openvpn:openvpn, not nobody:nobody. The problem is /usr/local/etc/openvpn/keys/crl.pem 08:59 < dvl-_> CRL: cannot read: /usr/local/etc/openvpn/keys/crl.pem: Permission denied (errno=13) 08:59 < dvl-_> However: # ls -l /usr/local/etc/openvpn/keys/crl.pem 08:59 < dvl-_> -r--r--r-- 1 openvpn openvpn 499 Feb 26 2009 /usr/local/etc/openvpn/keys/crl.pem 09:00 < dvl-_> oh.... wait... :) 09:00 < dvl-_> fixed. :) 09:01 < dvl-_> it was /usr/local/etc/openvpn still root:wheel 09:04 -!- zeroXten [~zeroXten@0x10.co.uk] has quit [Ping timeout: 245 seconds] 09:13 <@ecrist> :) 09:16 < dvl-_> Love it when explaining finds the problem. 09:16 < dvl-_> ecrist FYI: writing a post on ssl-admin for http://dan.langille.org/ ... should be ready latest today. 09:17 < dvl-_> ecrist I keep seeing this FAIL but no message: 09:17 < dvl-_> Creating initial CRL...Using configuration from /usr/local/etc/ssl-admin/openssl.conf 09:17 < dvl-_> Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key: 09:17 < dvl-_> FAILssl-admin installed Wed Jan 2 15:16:46 UTC 2013 09:17 -!- niervol1 [~krystian@193.106.244.150] has quit [Remote host closed the connection] 09:17 < dvl-_> See that FAIL? Kind of.. .confusing. 09:18 < dvl-_> if I quit and go back into ssl-admin, no errors. 09:21 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 09:24 -!- zeroXten [~zeroXten@0x10.co.uk] has joined #openvpn 09:26 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds] 09:30 <@dazo> dvl-_: using chroot? 09:30 <@dazo> duh ... you found the issue 09:37 <@ecrist> dvl-_: that FAIL message is a red herring 09:38 <@ecrist> something i've never bothered fixing 09:38 <@ecrist> I'll fix it soon, since you've noticed/pointed it out 09:40 < dvl-_> ecrist: OK, I'll mention that in the article. 09:41 < dvl-_> dazo: no, no chroot involved, but that's an interesting idea. All I'm doing is running openvpen as openvpn:openvpn and chown/chmod all the files so only openvpn can read them. 09:46 < dvl-_> ecrist: I can create tickets at https://www.secure-computing.net/trac/report if you like? I have other items you might want to look at (e.g. spelling) 09:46 <@vpnHelper> Title: Available Reports – SCN Open Source (at www.secure-computing.net) 09:46 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Quit: leaving] 09:49 <@ecrist> dvl-_: that would be excellent! 09:50 < dvl-_> ecrist: will do. :) 09:50 <@ecrist> I think I need to get a user/pass from you, since that uses .htaccess for auth 09:51 -!- smooc_ [~smooc@95.69.51.167] has joined #openvpn 09:51 <@ecrist> anon ticket creation is disabled (spam) 09:52 -!- smooc [~smooc@62.28.98.58] has quit [Ping timeout: 252 seconds] 10:11 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 10:21 -!- master_of_master [~master_of@p57B55644.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B556D3.dip.t-dialin.net] has joined #openvpn 10:26 -!- EmperorTom [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 10:27 -!- EmperorTom is now known as _quadDamage 10:44 -!- hjf [~hjf@184-0-17-190.fibertel.com.ar] has quit [Remote host closed the connection] 10:55 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:56 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 240 seconds] 11:00 -!- raidz_away is now known as raidz 11:01 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 11:01 -!- mode/#openvpn [+o krzee] by ChanServ 11:09 -!- EugeneKay [eugene@itvends.com] has quit [Quit: ZNC - http://znc.in] 11:09 -!- EugeneKay [eugene@go-without.me] has joined #openvpn 11:33 -!- plaisthos [~arne@kamera.blinkt.de] has joined #openvpn 11:35 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 11:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 11:55 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 11:58 -!- butch128 [~butch@TOROON63-1176061240.sdsl.bell.ca] has joined #openvpn 11:58 -!- smooc_ [~smooc@95.69.51.167] has quit [Ping timeout: 248 seconds] 11:59 < butch128> Trying to get routing working between my openvpn server, and 2 subnets i have connecting to it - anyone willing to comment on what I'm doing wrong? 12:01 < kisom> butch128: My car wont start, any comment on what I'm doing wrong? 12:02 <+pekster> Are these subnets behind your OpenVPN server or your clients? 12:02 < butch128> kisom: point taken, sec 12:02 < butch128> My setup is... OpenVPN Server (10.8.0.1), DD-WRT-1 (10.8.0.6, 192.168.5.0/24) DD-WRT-2 (10.8.0.18, 192.168.1.0/24). From a machine on either subnet (say 192.168.1.100) i'd love to be able to just connect to 192.168.5.1. 12:02 <+pekster> !clientlan 12:02 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 12:02 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 12:02 < butch128> yep, ipforwarding is enabled 12:02 < butch128> ive added ccd files 12:03 < butch128> and iroute push entries 12:03 <+pekster> Have you seen that flowchart? And followed it? 12:03 < butch128> (on the server) 12:03 < butch128> i will do that now, thanks 12:03 <+pekster> That flowchart walks you through every step you need to get client-LAN connectivity set up. Feel free to ask here if you get stuck and need help, but the author of that diagram put time into making it very complete ;) 12:04 <+pekster> (just be sure not to skip steps :P ) 12:04 < butch128> so i'm at the final step "Add a route to the router so it knows how to reach the vpn subnet" 12:04 < kisom> butch128: If you get stuck, paste your config files, routing table, iptables rules and ifconfig output somewhere and I'll have a look. 12:04 < butch128> from the router (192.168.1.1) i can ping 192.168.5.1! and its awesome! 12:05 < butch128> from my home machine though (192.168.1.100) i cannot... 12:05 <+pekster> butch128: Are you VPN clients (your *WRT devices) the default router on their respective networks? 12:05 < butch128> thanks, i'll paste the route and such 12:05 < butch128> yes, they are the defaults 12:05 <+pekster> Yea, then configs, logs, and routing views would help. Since they're the defaults, something sounds off with your routing setup (or possibly your firewalls) 12:05 < butch128> yea, turned off the firewalls too... no go 12:06 < kisom> butch128: Can you paste your stuff here? http://piratepad.net/openvpn 12:06 <@vpnHelper> Title: PiratePad: openvpn (at piratepad.net) 12:07 < butch128> http://piratepad.net/ep/pad/view/ro.rzwEcZAY/latest 12:08 <@vpnHelper> Title: PiratePad: ro.rzwEcZAY / Latest text of pad openvpn (at piratepad.net) 12:10 < kisom> butch128: Lots of routers and servers... I'll probably need a diagram on how everything is connected 12:11 < butch128> hmmm 12:11 < butch128> Server (10.8.0.1) 12:11 < butch128> Router#1 (192.168.1.1, 10.8.0.18), Router #2 (192.168.5.1, 10.8.0.1) 12:12 < butch128> two routers connect to server 12:12 < butch128> all that works smashingly well 12:12 < kisom> OK, and the server routes traffic between your routers? 12:12 < butch128> it seems to, from Router #1 (192.168.1.1) i can ssh into 192.168.5.1 (router #2) 12:13 < butch128> hmm... interesting... i didnt try this before.. from router #2 (192.168.5.1) i cannot access router#1... (192.168.1.1)... even though firewalls are disabled and the route table looks correct... that could be my problem, maybe? 12:15 <+pekster> butch128: Can you do that from the VPN server? 12:15 <+pekster> (ie: the flowchart block that asks "Can you ping the lan IP of the client?" ) 12:15 < kisom> butch128: Can you please paste your iptables config and ifconfig on the server? 12:15 < butch128> root@li169-68:/etc/openvpn# ping 192.168.5.1 12:15 < butch128> PING 192.168.5.1 (192.168.5.1) 56(84) bytes of data. 12:15 < butch128> 64 bytes from 192.168.5.1: icmp_seq=1 ttl=64 time=90.0 ms 12:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 12:15 < butch128> huh... 12:16 < butch128> root@li169-68:/etc/openvpn# ping 192.168.1.1 12:16 < butch128> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 12:16 < butch128> ^C 12:16 < butch128> --- 192.168.1.1 ping statistics --- 12:16 < butch128> 4 packets transmitted, 0 received, 100% packet loss, time 2999ms 12:16 < butch128> so it only pings one way... 12:16 <+pekster> Sounds like firewall. kisom's suggestion of looking at iptables rules is a good next troubleshooting step 12:16 < kisom> Yes, really sounds like a firewall 12:16 < kisom> Pings do not go "one way" 12:16 < kisom> :P 12:17 < butch128> hmmm k 12:17 <+pekster> Well, the echo-request does, but that's getting off-topic :P 12:17 < butch128> thanks, i'll double check when i'm home whether its disabled... grr 12:17 < butch128> but almost 100% it is... 12:17 < butch128> thanks for the help, it sounds like i didnt miss a step in the config then? 12:18 < kisom> Probably not since you can ping "one way" over the VPN. 12:18 <+pekster> Both clients have a good looking routing view (they route eto each other's LANs across the VPN) so my guess is your firewall isn't allowing it on the "dark" system (the one you can't reach) 12:18 < butch128> yea, k 12:19 <+pekster> If you explicitly trust all traffic coming across the secured VPN pipe, something like this tends to work well: '-A INPUT -i tun+ -j ACCEPT' and '-A FORWARD -i tun+ -j ACCEPT' 12:19 <+pekster> Tune for more security if you require it 12:20 <@krzee> ild use -I over -A but yep 12:20 < butch128> k, thanks, i'll try that too 12:20 <+pekster> krzee: That's in iptables-restore syntax ;) 12:20 < kisom> I just woke up, btw 12:20 < butch128> i turned off the firewall in dd-wrt, guess that may not have been enough 12:20 < kisom> 7 PM over here 12:20 <+pekster> Depends on what "turning off" actually does :\ 12:20 < butch128> very true 12:21 <+pekster> But yea, if your client can ping the server, but server can't ping the client's LAN IP, it sounds very much like your firewall on that client needs fixing 12:22 <@krzee> if you actually "turned off" the firewall in dd-wrt it would stop doing nat and therefor probably not do what you expect of it 12:22 < chrisb> any issues with using OTP PAM with openvpn authentication? on reconnect? 12:23 <@krzee> i believe that depends on settings 12:23 <@krzee> you can use persist settings and keep it cached in memory 12:24 <+pekster> chrisb: Every re-keying event (1h by default) it'll require a full re-auth (certs and un/pw if you use it), so if the OTP changes between uses like a true OTP would, that will cause problems. You can probably do something creative with the management interface and not caching the credentials 12:25 < kisom> Disabling re-keying is an option too 12:25 < kisom> :) 12:26 <+pekster> Sure. Once every "never" you will need to re-key :P 12:26 < chrisb> this would be yubikey, so yes, real OTP 12:26 <@krzee> oh right i forgot bout that lol 12:26 <@krzee> caching a changing pw doesnt help much lol 12:26 <+pekster> chrisb: My recommendation would be to write a un/pw script that requires the actual OTP for the first auth only, then silently "passes" the user through auth without doing any further checking when it's a re-key 12:27 < chrisb> i have always had persist set, because i think my connection is too dodgy 12:27 <+pekster> chrisb: The env-vars available to the script will let you determine if it's a new or existing connection being authenticated 12:27 <+pekster> That does mean you can't use the ovpn PAM plugin as-is, though 12:27 <@krzee> persist is handy when dropping permissions and having your keys properly chmod'ed 12:28 <@krzee> ^ ild go with pekster's option 12:28 <@krzee> that way you keep forward security 12:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 12:32 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:35 < chrisb> interesting, thanks for these comments 12:36 < chrisb> pekster: what do you mean by "un/pw script"? 12:36 <+pekster> --user-auth-pass-verify 12:36 -!- butch128 [~butch@TOROON63-1176061240.sdsl.bell.ca] has left #openvpn [] 12:37 < kisom> How does OpenVPN prompt the user for one time passwords btw? 12:43 < |Mike|> why not work with certs? ;x 12:44 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 12:49 < chrisb> |Mike|: i use certs now, i think OTP is better 12:49 < chrisb> |Mike|: am i wrong? 12:54 <@ecrist> you are 12:54 <@ecrist> using both would be good, though 13:00 < dvl-_> ecrist : yes, I need a login for your trac 13:02 < dvl-_> ecrist I just emailed you. :) 13:08 <@ecrist> kk 13:09 <@ecrist> want to pm me a password? 13:10 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:13 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has left #openvpn [] 13:14 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has joined #openvpn 13:14 < dvl-_> oops 13:14 -!- Syndrom [~syndrom@46.249.58.73] has left #openvpn [] 13:17 -!- dazo is now known as dazo_afk 13:18 < chrisb> ecrist: what is the reasoning that cert + OTP is better than OTP? 13:18 < chrisb> ecrist: the encryption of the data channel? 13:19 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 13:20 < chrisb> http://www.schneier.com/blog/archives/2012/12/china_now_block.html 13:20 <@vpnHelper> Title: Schneier on Security: China Now Blocking Encryption (at www.schneier.com) 13:35 < kisom> Guess the chinese firewall got stateful 13:35 < kisom> Then again, they do not _block_ anything 13:35 < kisom> They just send RST packets 13:35 < kisom> Or at least they did a while back 13:36 <+rob0> RST is TCP. They're detecting openvpn on UDP. 13:37 < kisom> Yeah, I know 13:42 -!- brute11k [~brute11k@89.249.231.106] has quit [Quit: Leaving.] 13:50 <@ecrist> chrisb: because OTP can be shared between users a little easier than certificates. 13:50 <@ecrist> certificates can be revoked 13:51 -!- Devastator [~devas@186.214.14.80] has joined #openvpn 13:51 -!- Devastator [~devas@186.214.14.80] has quit [Changing host] 13:51 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 13:55 < chrisb> ecrist: meaning that if my OTP list is stolen or copied, i may not be able to remedy, but with certs, i can issue the revocation if I own the CA? 13:59 < dvl-_> I'm not using keys with my crtificiates for OpenVPN. I don't see the benefit of using keys. 13:59 -!- baobei_ [~baobei@208.111.39.160] has joined #openvpn 13:59 < dvl-_> Reasoning: if they can steal a cert, they can steal a key...... 14:00 < dvl-_> Unless, I supply the key each time openvpn starts up. Don't really want to do that.... 14:01 -!- baobei__ [~baobei@208.111.39.160] has joined #openvpn 14:01 -!- baobei_ [~baobei@208.111.39.160] has quit [Read error: Connection reset by peer] 14:11 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 14:25 <@ecrist> chrisb: that's one train of thought 14:25 <@ecrist> though, it's fairly easy to re-issue one-time passwords, as well 14:26 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds] 14:32 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 14:43 <@ecrist> dvl-_: most people, I would guess, don't password-protect their client-side keys 14:46 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:50 < dvl-_> ecrist: I'm not protecting my server side cert. The CA is password protected... 14:50 <@ecrist> that's also probably common 14:58 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has joined #openvpn 14:58 -!- ade_b [~Ade@koln-5d81bfd4.pool.mediaWays.net] has quit [Changing host] 14:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:00 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 15:08 -!- Konigsberg7 [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 15:08 -!- Konigsberg7 [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 15:09 -!- shawnz [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 15:09 -!- whyz [~e@h145n7-n-a31.ias.bredband.telia.com] has left #openvpn ["Leaving"] 15:09 -!- shawnz is now known as Konigsberg7 15:24 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 15:24 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 15:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:24 -!- mode/#openvpn [+o krzee] by ChanServ 15:45 -!- Konigsberg7 [shawnz@c-67-163-13-78.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds] 16:32 < ade_b> I have my own openvpn server and I have setup my girlfriends linux laptop to use it - how do I do this for a windows laptop 16:33 < ade_b> I cant see anywhere in the windows client to specify the certificates 16:33 < ade_b> I guess I need to create a "Connection Profile" to import - can anyone help me out? 16:36 < ngharo> You create a config and name it with an extension of .ovpn 16:37 -!- baobei__ [~baobei@208.111.39.160] has quit [Ping timeout: 245 seconds] 16:37 < ngharo> the config should look the same as linux except specify 'dev-node' instead of 'dev' iirc 16:49 < plaisthos> ngharo: dev tun/dev tap work fine on windows 16:49 < ade_b> ngharo, ok thanks 16:49 < ngharo> thought you had to match 'dev-node' with the name of the tap interface 16:50 <@krzee> ngharo, you renaming it? 16:50 < ngharo> not me, ade_b 16:50 <@krzee> ahh right 16:50 < ngharo> i shouldnt even be commenting on windows setup. It's been a while since i've done that 16:50 <@krzee> dev-node isnt needed unless renaming 16:51 < ngharo> oh ok 16:52 <@krzee> you know offhand if when i dd a drive to another drive, if all partition info and gpart info gets copied over? 16:52 < ade_b> ngharo, thanks and I put the certs in her "Docs & Settings folders" and just specify the full path? 16:52 < ngharo> ade_b: yep or for easy mode just place them in the ovpn config directory 16:53 < ngharo> krzee: it should. 16:53 < ngharo> pretty sure all the partition info is stored at the beginning of the drive 16:54 < plaisthos> krzee: yes. For gpt you should run gdisk or similar to fix the backup table (it is normally located at the end of the disk) if you are copying to a larger disc 16:55 < ade_b> great, Im using tun interfaces for linux, so I need to change that to tap on Winodows? 16:56 <@krzee> the disk is EXACTLY the same size =] 16:58 < ngharo> ade_b: I don't believe so 16:58 <@krzee> ade_b, you must use tun in windows too 16:58 <@krzee> all sides must agree 16:59 <@krzee> in windows they call it a tap device, but it supports tun mode 16:59 -!- Eagleman7 [~androirc@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:59 <@krzee> i have requested a name change to "tuntap device" but it didnt stick 17:00 <+pekster> krzee: The code uses 'tun.c' anyway :P 17:00 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds] 17:01 < ade_b> ngharo, krzee thanks 17:01 < plaisthos> pekster: in (very) old version of the windows tap driver, only tap was possible :) 17:02 <+pekster> Ah, hence the device name. Ah well, it'll go well with 'Referer' headers :P 17:03 <@krzee> hah i didnt know there was a time when it was actually tap only 17:03 <@krzee> i guess it makes sense tho, tun emulation mode would kinda have to come after 17:04 -!- mode/#openvpn [+v plaisthos] by krzee 17:07 -!- Eagleman7 [~androirc@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 17:12 -!- baobei_ [~baobei@58.37.20.245] has joined #openvpn 17:24 -!- F^4 is now known as F^4[A] 17:31 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 17:37 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 17:38 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 17:40 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has joined #openvpn 17:57 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 18:12 <+dvl> using ssl-admin, I see crl.pem in the prog directory? that seems like I shouldn't be picking that up directly. But that's exactly what I plan to do. 18:33 -!- smerz [~smerz@a177088.upc-a.chello.nl] has joined #openvpn 18:43 <@krzee> just make sure its new 18:57 <+dvl> Yeah, it is. 18:57 <+dvl> Got server started with new keys and ca.crt 18:57 <+dvl> but? client can't authenticate yet 18:58 <+dvl> server say: TLS Error: TLS handshake failed 18:58 <+dvl> client says: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 18:59 <+dvl> just verified cert on client: openssl verify -CAfile ca.crt client.crt 19:00 <+dvl> And done similar on server. 19:03 <+dvl> same issue, both server and client cert: openssl x509 -subject -issuer -noout -in client.crt 19:05 <+pekster> Read the client error more careefully: it's complaining about the server certificate (the one being presented to it from the server) 19:05 <+pekster> The client is failing to verify the cert presented over the wire against the locally configured CA cert file 19:07 <@krzee> md5 both ca.crt's 19:08 <@krzee> be sure they match (assuming they're supposed to, which they normally are) 19:09 <+dvl> both certs are valid from 2 jan, and it's 3 jan (utc) 19:09 <+dvl> yeah, I did that, will do it again 19:10 <+dvl> # md5 ca.crt | grep b45a9a69e954ea70cbfd7c3bb46537e0 19:10 <+dvl> MD5 (ca.crt) = b45a9a69e954ea70cbfd7c3bb46537e0 19:10 <+dvl> they match 19:10 <+dvl> pekster: I see what you mean. 19:11 <+dvl> pekster: so, I'm wondering how that's possible if the ca.crt file is the same .. .checking 19:11 <+pekster> Who says your server's currently used cert was actually signed by that CA? ;) 19:12 <@krzee> !certinfo 19:12 <@vpnHelper> "certinfo" is run `openssl x509 -in -noout -text` for info from your cert file 19:12 <@krzee> err no 19:12 <@krzee> !certverify 19:12 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 19:12 <@krzee> that ^ 19:12 <+pekster> Well, that could be updated to indicate that you need to check the *opposing* peer's cert against your *local* CA 19:13 <@krzee> pekster, ya but i dont wanna get confusing, anyone asking about this stuff should be using the same ca.crt on both sides 19:13 <+dvl> I've run verify already (see above), but I'll run it again. 19:13 <+pekster> dvl: No, you checked the *client* cert against the *client's* CA cert. That's not what you need to be doing 19:13 <@krzee> pekster, the ca.crt's match md5 19:14 <+pekster> So? The server doesn't check its own cert against the CA 19:14 <+dvl> pekster: we've already established that the ca.cert match 19:14 <+pekster> The client does 19:14 <@krzee> checking against local ca.crt IS checking against the other side 19:14 <@krzee> since they are the same exact ca.crt 19:14 <+pekster> Oh, if the CA's match and he did that on the server too? 19:14 <+pekster> k 19:14 <+pekster> nvm, I missed that part 19:14 <@krzee> right, needs to do it on server too 19:15 <+dvl> I ran verify before, on both client and server. Just ran it again. 19:15 <+dvl> I also checked that the openvpn.conf file referred to said ca.crt 19:16 <+dvl> Hmmm. 19:16 <+dvl> FWIW, this was a working configuration before I changed the certs 19:16 <@krzee> run ntpdate on both machines? 19:16 <@krzee> although the error should be different if it was time 19:17 <+dvl> yes 19:17 <+pekster> You checked directories? Sometimes if you do (or don't) use a 'cd' dir your relative path can be misleading 19:17 <+dvl> times match. just verified. 19:18 <@krzee> ^ same if you chroot 19:18 <+dvl> pekster: no relative paths in config file. I copy pasted the names and ran verify again. 19:18 <+pekster> Upping the verbosity might help too: verb 5 is a good place to start (not sure offhand if higher levels of debug verbosity, say 6-7 would be more helpful with TLS issues) 19:18 <+dvl> no chroot involved. 19:18 <+dvl> Bumping verb on client 19:18 <@krzee> i would never use more than verb 5, plaisthos might tho 19:19 <@krzee> since he digs in that code, and im a mere user 19:19 <+dvl> ahuh 19:19 <+dvl> openvpn[73944]: VERIFY nsCertType ERROR 19:19 <+pekster> There ya go 19:19 <+dvl> there you go? I bet it's the client, not hte server. 19:19 <+dvl> Fixing. 19:19 <@krzee> ahh 19:20 <@krzee> well depends how you look at it 19:20 <@krzee> the problem is the server cert, or the client config 19:20 <+pekster> That can be either. 'nsCertType' is a Netscape-era option; personally, I prefer using KU/EKU fields, but they all really do the same thing 19:20 <@krzee> although if you say the problem is client config, you may be open to MITM attacks 19:21 <@krzee> yep^ i say "may" because theres 2 ways to check it is signed as the server (what pekster said above) 19:21 <+dvl> I've been using ssl-admin for the first time. I *know* I created both certificates with the same steps. 19:21 <+pekster> krzee: I just hate "Netscape" crap in my certs :P (call me a purist if you like :D ) 19:21 <+dvl> S) Create new Signed Server certificate 19:21 <+dvl> I shall update my notes. 19:22 <@krzee> :D 19:22 <+dvl> Folks: I'm sure this is the problem. Thank you for bearing with me. :) 19:22 <+pekster> Well, ssl-admin apparently doesn't include the nsCertType X509 field. It's a dumb field anyway, in my not-so-humble opinion 19:22 <@krzee> yes it does 19:22 <@krzee> i added the option to it years ago 19:22 <@krzee> its the option: S 19:22 <+pekster> Ah. I suppose, if people use the tls-verify directive you'd need it 19:23 * pekster sometimes forgets most folks like helper-directives 19:24 <+dvl> success! 19:24 <+dvl> Thank you folks. FYI, I'm writing up a how-to. 19:24 <+dvl> GOod error. 19:25 <+dvl> I've also raised three tickets. 19:25 <+pekster> When in doubt, get more error verbosity ;) 19:25 <+dvl> [not related to tonight] 19:25 <+dvl> yes. Good plan 19:25 <+pekster> If that fails, open a beer and dig into the code :P (or find help) 19:25 <@krzee> oh maybe im wrong 19:25 <@krzee> i added whatever it was that makes nscerttype server work 19:25 <@krzee> whatever that was, lol 19:26 -!- F^4[A] is now known as F^4 19:26 <+pekster> Yea, that's nsCertType (or w/e the ANSI-name for that field is formally. I'm not OCD enough to find you the OID :D ) 19:26 -!- raidz is now known as raidz_away 19:27 <@krzee> ya niether of us care too much :D 19:28 <@krzee> im working at talking to 2 girls via sms on my phone 19:28 <@krzee> working AND talking* 19:28 <+pekster> Well, I'm watching a 1h talk from 29C3 on the Russian surveillance state. Maybe you're doing it right, I dunno :P 19:28 <+pekster> Some day maybe I'll have a gal that enjoys curling up and watching it too ;) 19:30 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:30 <@krzee> thats asking too mucg 19:30 <@krzee> much* 19:31 <@krzee> if you can find one who can deal with you watching those all night, shes good enough 19:31 <@krzee> lol 19:31 <+pekster> Could be. I've heard some good questions posed to the speakers from women at 29C3 too ;) 19:31 <@krzee> got the link handy? that sounds good 19:32 <+pekster> Talk ID: 5402 from http://mirror.fem-net.de/CCC/29C3/mp4-h264-HQ/ (the torrents are mighty fast, and I like taking pressure off the http mirrors.) Full event list here: https://events.ccc.de/congress/2012/Fahrplan/day_2012-12-27.en.html 19:32 <@vpnHelper> Title: Index of /CCC/29C3/mp4-h264-HQ/ (at mirror.fem-net.de) 19:33 <@krzee> thanks 19:33 <+pekster> J. Appelbaum's opening 'not my department' and the 'enemies of the state' were also good talks. If you're into PKI, the 'certificate authority collapse' was also a nice watch 19:34 <+pekster> Tons of good stuff from this year's conference 19:34 <@krzee> always good stuff at ccc 19:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:36 <+dvl> ls all up and running now 19:36 <+dvl> :) 19:37 <@krzee> o/ 19:37 <@krzee> hacking cisco phones… sounds fun! 19:38 <@krzee> <--- likes voip 19:38 <@krzee> shit i wanna see half of these 19:38 <@krzee> i gotta go out there some year 19:46 < kisom> Sucks harald didn't speak at 29C3 19:46 < kisom> In fact, there are no good GSM talks imo 19:47 < kisom> krzee: Need someone to go with? I know I do 19:50 < chrisb> does CCC equal chaos computer club? 19:50 <+pekster> Yea 19:51 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 19:54 <@krzee> sure, wanna pick me up in the caribbean? haha 20:16 < kisom> Cuba? 20:23 <@krzee> 15.3G scanned out of 381G at 3.38M/s, 30h46m to go 20:23 <@krzee> 15.3G resilvered, 4.01% done 20:40 < EugeneKay> k 20:42 < chrisb> krzee: zfs? 20:56 -!- Sorinan [~bcdonadio@177.18.136.35] has joined #openvpn 20:57 < Sorinan> there's a way to specify a command to run before any connection is made in OpenVPN client? 20:58 < Sorinan> or maybe something like ProxyCommand from SSH, to run a command and pipe the connection trough it? 21:06 <@krzee> chrisb, yep 21:07 <@krzee> Sorinan, run the command whereever you start openvpn, and just run the command before you start openvpn 21:07 <@krzee> or have a look at the places scripts hook into openvpn and see if one is what you want 21:07 <@krzee> !script 21:08 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn 21:11 < Sorinan> krzee, and it's possible to pipe the openvpn connection through an existing connection? 21:12 < Sorinan> the idea is to automate things with network-manager, so having to create the connection manually beforehand isn't pratical 21:23 <@krzee> i have no idea what you mean 21:23 <@krzee> what existing connection…? 21:32 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 244 seconds] 21:32 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 240 seconds] 21:33 < Sorinan> krzee, so, basically I can use the ProxyCommand feature in SSH to create a connection to a middleman, instruct this middleman to netcat my final server, and then use this connection to access the final server via SSH 21:33 < Sorinan> I was wondering if I could do something similar with openvpn 21:33 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 21:33 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn 21:34 < Sorinan> in a nutshell: tell OpenVPN to create a SSH connection to a middleman, forward this connection to the final server, and use this pipe created to communicate 21:44 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 21:53 -!- brute11k [~brute11k@89.249.230.141] has joined #openvpn 21:58 -!- Sorinan [~bcdonadio@177.18.136.35] has quit [Quit: Saindo] 22:03 -!- HyperGlide [~HyperGlid@222.211.121.189] has joined #openvpn 22:04 <+pekster> photo from a 29C3 talk on factoring RSA primes, disscussing in this case a 1024-bit pubkey: http://pekster.sdf.org/misc/bluffdale_power.png 22:05 <+pekster> I've been using larger for some time, but hopefully someone still using key sizes under 2k bits is re-thinking their usage now 22:07 <+pekster> (oh, image updated with a slide a moment later) 22:12 -!- baobei_ [~baobei@58.37.20.245] has quit [Read error: Connection reset by peer] 22:13 -!- baobei_ [~baobei@58.37.20.245] has joined #openvpn 22:17 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has joined #openvpn 22:17 < nikoc31337> hey 22:18 < nikoc31337> !welcome 22:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 22:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:18 < nikoc31337> I would like some info related openvpn server ddos protection. 22:18 < nikoc31337> anyone available to give me his lights? :P 22:21 <+pekster> nikoc31337: Your best bet when using X509 is to add a --tls-auth key between peers to prevent the abuse of resources by unauthenticated attackers. The manpage goes into detail on using this and what the technical advantages are that prevent wasting resources from external attackers 22:22 <+pekster> You can also run OpenVPN on a non-standard port (say, a high randomly-selected port.) UDP will also be better, especially when combined with the --tls-auth feature, since it's far less open to port-scanning attacks 22:30 < nikoc31337> Well, im running other hosting services at the moment. 22:31 < nikoc31337> And the company i have my servers on, offers ddos protection for port 80 and 443 22:32 <+pekster> Then I don't really get what you're asking. OpenVPN has some internal protection against the traditional threat of ddos, which is resource consumption and hanging connections. Use of --tls-auth and UDP reduces these impacts. If you want to do upstream filtering of apparent DDoS through your ISP, that's outside the scope of OpenVPN and I'm unclear what you mean if you're asking about that 22:32 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 22:32 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 22:32 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:32 -!- mode/#openvpn [+o krzee] by ChanServ 22:34 < nikoc31337> Im hearing all everywhere that VPN Services keep getting hitted by DDOS attacks. 22:35 < nikoc31337> Im planning on starting a VPN Service soon and this is a thing im stuck on. 22:36 < nikoc31337> If someone attack port 1194, would the server go down? 22:36 <+pekster> Depends on the scale of the DDoS. Your best bet if you're concerned about becoming a target (such as a high-profile server, etc) is to do exactly what I said above and use --tls-auth support and run on a non-standard port (something besides 1194 or 5000) 22:37 < nikoc31337> Hm, isn't the port shown on the customers? 22:37 <+pekster> If you have configs that will end up semi-public (to end-users, etc) then the port question is somewhat irrelevant since it would be easy to discover what other port you're using 22:37 < nikoc31337> Yeah.. 22:38 <+pekster> Did you read about --tls-auth in the manpage? I think that basically addresses the resource-exhaustion issue you're primarily concerned with 22:39 <+pekster> Otherwise, feel free to contract with your ISP to throttle requests if you get more than a specified number of new (non-existing) connections in a period of time. I can't help you with that since that would be an issue between you and your ISP 22:39 < Devastator> keep in mind that if your server is hit in a port that's used by another service, your server CAN go down as well, it's the nature of ddos attack, openvpn isn't to blame 22:39 < nikoc31337> yeah, im not planning on hosting something else -- than openvpn server. 22:40 < rkantos> just start off with cloud flare or similiar atleast :D 22:40 < nikoc31337> cloudflare is used for websites :P 22:40 < rkantos> yeah but you never know in this day and age if your 1TB memory server hosts everything you do ;) 22:41 < nikoc31337> :D 22:41 < rkantos> with some 10Gb/s cards, you can do quite the shit with one 4u server 22:42 <+pekster> Save money and buy our meta-basket: it's so good, it'll hold all your eggs without the need to ever worry about baskets again! 22:42 < rkantos> 32 cores, 512GB DDR, 4x10Gb/s ports 10-15k maybe? 22:42 < nikoc31337> Can the server run under port 443? 22:42 < nikoc31337> actually let the customers connect under port 443 22:42 < nikoc31337> which will be filtered 22:43 < rkantos> I'd think it can 22:43 <@krzee> !hmac 22:43 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls 22:43 < rkantos> but it'll perhaps create some conflicts? 22:43 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 22:43 < nikoc31337> you say? 22:43 <+pekster> rkantos: TCP is far more abusive and resource-consuming in early connections than UDP, and also has its own set of problems. Unless you need TCP, you shouldn't use it 22:44 <+pekster> !tcp 22:44 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 22:44 < nikoc31337> so, pekster 22:44 <@krzee> and with udp you can add hmac signatures 22:44 < rkantos> pekster: yeah 22:44 < nikoc31337> do you think it would create any conflicts 22:44 <@krzee> which is an anti layer 7 ddos feature 22:45 < nikoc31337> if it was running under port 443? 22:46 <+pekster> "conflicts" ? Not unless something else is using that port. A port is a number. You can run OpenVPN on UDP 443, TCP 443, UDP port 1, or UDP port 65535. It's just a number 22:46 < rkantos> well 443 is used by HTTPS.. 22:46 < nikoc31337> With traffic filtering. 22:46 <+pekster> I've no clue since I'm not your ISP and have no idea how your ISP filters 22:46 <+pekster> !notovpn 22:46 < rkantos> but ofcourse that doesn't matter for the client 22:46 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 22:47 < rkantos> what is it with everybody on this channel knowing how to use the !-marks 22:47 < rkantos> or spawn them in an instant :D 22:47 <+pekster> rkantos: Becuase people who come here often ask the same questions our bot can answer 22:48 <+pekster> I'm not going to type out several answers explaing that I can't explain a question about an ISP I have never worked with before 22:48 < rkantos> yeayea, but why does everyone know the commands in an instant 22:48 <+pekster> I use dozens of them frequently. You can find a full list here: 22:48 <+pekster> !factoids 22:48 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 22:48 < nikoc31337> Thanks for the help pekster:) 22:49 <+pekster> nikoc31337: Yup. Ultimately I think you're better off using OpenVPN on UDP, change the port if you like (not really helpful, but maybe a little) and use --tls-auth. That's *probably* better than any filtering your ISP can do 22:50 <+pekster> If you need more than that, invest in hardware solutions or contract upstream (ISP, hosting provider, etc) for further protection closer to the Internet source 22:54 < nikoc31337> in your opinion the best OS to run the server on is? 22:54 <+pekster> !bestos 22:54 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with 22:54 < nikoc31337> that's cool 22:54 < nikoc31337> thanks a lot mate 22:54 <+pekster> Depends on what you want to do, really ;). I'd recommend a Linux or Unix varient, but that's just me personally 22:54 < nikoc31337> appreciate it :) 22:54 < nikoc31337> yeah im using centos:) 22:54 <@krzee> if you're worried about dos attacks you should be on udp 22:55 < rkantos> aren't most vpn services udp anyway? 22:55 <+pekster> Yea, that was my advise too; the ISP apparently offers some "filtering" service for select ports, but I'm guessing it's based on protocol (bound to those ports, perhaps) and not the ports themselves 22:55 < rkantos> or both 22:55 <@krzee> tcp cant use hmac sigs which means layer7 can be attacked 22:55 <@krzee> yep 22:56 < nikoc31337> do you think if i use the server with GUI admin panel 22:56 < nikoc31337> It would make the server unstable or something. 22:56 < nikoc31337> Generate of customer configs is easier with gui 22:56 <@krzee> if you must go that route, firewall the hell out of that crap 22:56 < rkantos> nikoc31337: cloudflare? 22:56 < rkantos> or wha 22:57 < nikoc31337> ? 22:57 < rkantos> what kind a GUI you mean? 22:57 <@krzee> in fact maybe only run it on a separate vpn server ip that only you have pki into 22:57 <@krzee> and dont allow any ip forwarding to that interface 22:58 < nikoc31337> Yeah i had this on my mind 22:58 < nikoc31337> Admin web interface, is installed always when installing a access server? 22:58 <+pekster> krzee: Um, I just turned on tls-auth in a tcp-server configuration and it worked fine. You can still handshake across TCP, but the HMAC and packet-dropping feature works just fine 22:58 <@krzee> coulda sworn that was udp only! 22:59 <+pekster> Nope. it's applied right to the TLS channel directly 22:59 <+pekster> (think of it sorta like 802.1Q) 23:02 <+pekster> Remember that it's just TLS; the data channel itself doesn't have any extra signature added since the goal is to prevent abuse of resources handshaking, encoding, and decoding TLS traffic (which is computationally expensive.) Mallicious handling of data-stream packets is detected via normal hashing methods and dropped as malformed, but that's far-cheaper in terms of computing power 23:10 <@krzee> meh and the manual clearly says "on the udp/tcp port" i wonder where i got that false idea 23:10 -!- hounge [~andro@5.254.147.250] has joined #openvpn 23:13 <@krzee> so it always hashes the control channel packets 23:14 <+pekster> Well, the control channel is secured via X509 pubkey crypto. --tls-auth adds an *extra* symmetric-based hash on top of this so the receiver doesn't have to use (expensive) pubkey crypto to see if the sender knows the PSK 23:15 <@krzee> and stops something like slowloris-ovpn from existing 23:30 -!- hounge [~andro@5.254.147.250] has quit [Ping timeout: 256 seconds] 23:38 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] --- Day changed Thu Jan 03 2013 00:06 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 00:14 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 00:21 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has joined #openvpn 00:23 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 252 seconds] 00:34 -!- AndroUser2 [~andro@5.254.147.182] has joined #openvpn 00:36 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 00:38 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has quit [Ping timeout: 255 seconds] 00:38 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 00:53 -!- AndroUser2 [~andro@5.254.147.182] has quit [Ping timeout: 272 seconds] 00:55 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Quit: Ex-Chat] 01:35 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn 01:47 -!- F^4 is now known as Yawa 01:57 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 02:02 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 02:17 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 244 seconds] 02:36 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has joined #openvpn 02:38 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 240 seconds] 02:40 -!- cosmicgate-- [~cosmicgat@113.210.102.213] has quit [Ping timeout: 240 seconds] 02:41 -!- cosmicgate- [~cosmicgat@198.147.22.172] has joined #openvpn 02:41 -!- HyperGlide [~HyperGlid@222.211.121.189] has left #openvpn ["Leaving..."] 02:48 -!- cosmicgate- [~cosmicgat@198.147.22.172] has quit [] 03:13 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has joined #openvpn 03:23 -!- Denial [Denial@92.239.45.77] has joined #openvpn 03:40 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has quit [] 04:17 -!- baobei_ [~baobei@58.37.20.245] has quit [Quit: Leaving] 04:21 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 04:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 248 seconds] 05:32 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 05:36 -!- dazo_afk is now known as dazo 05:43 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:44 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection] 06:53 -!- m0sphere` [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 06:53 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 07:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 07:24 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:40 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 07:40 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 07:53 -!- smerz [~smerz@a177088.upc-a.chello.nl] has quit [Remote host closed the connection] 07:57 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 07:59 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 08:04 -!- manitu [~Thunderbi@h-213.61.163.68.host.de.colt.net] has joined #openvpn 08:05 -!- zol_ [~z@del63-4-78-248-82-46.fbx.proxad.net] has joined #openvpn 08:06 < manitu> hi ho.. can i use openvpn as proxy?.. i tried it like that: get the google.com dns, "ip route add google_ip/32 via my_vpn_ip" and then "ping google.com" .. before i got an answer from google, after adding the route there is no answer anymore 08:08 <@dazo> manitu: no, openvpn is not a proxy .... openvpn is a VPN solution, which is completely different from what a proxy does 08:10 < manitu> dazo: i know.. but i have a ipsec network without any leftsubnet.. i want to connect to a server by openvpn to access the ipsec devices.. thats the problem if not every devices knows openvpn :/ 08:10 < manitu> *device 08:10 <@dazo> then you need to learn about routing 08:12 < zol_> Is it intersting to put a 8192 rsa key ? ( not 1024 or 2048 defaut ) 08:12 < zol_> or 4096 08:12 < manitu> yea.. but thats a problem, because in ipsec you need to define a "leftsubnet", so the ipsec server accepts traffic from this subnet.. but the server provider can't add any subnet in that "device" for me.. so i need to rewrite the source ip, like a proxy does.. i hoped that openvpn could manage that, if i define the destination address-range 08:14 < manitu> i also can connect to ipsec on the client, which is already connected to the central openvpn server.. but i'm thinking of "routing" this traffic as a really nice way.. and not every device needs the ipsec client 08:16 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has joined #openvpn 08:16 < nikoc31337> Hey, i have one question. 08:16 <@dazo> zol_: the stronger key, the longer it will take to crack it 08:16 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 264 seconds] 08:16 < nikoc31337> Is it possible to generate client config 08:17 < nikoc31337> through the admin web gui? 08:17 <@dazo> nikoc31337: sounds like you should as in !AS 08:17 <@dazo> !AS 08:17 <@vpnHelper> "AS" is please go to #OpenVPN-AS for help with Access-Server 08:17 <@dazo> (the community edition doesn't have any admin web gui) 08:17 < nikoc31337> Thanks ! 08:17 <@dazo> no worries! 08:18 <@dazo> manitu: I have no experience with ipsec ... so I dunno how this leftsubnet works .... 08:26 -!- brute11k [~brute11k@89.249.230.141] has quit [Ping timeout: 265 seconds] 08:30 -!- brute11k [~brute11k@89.249.230.141] has joined #openvpn 08:33 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 08:34 < manitu> dazo: going to try a NAT with iptables now.. i hope that works somehow.. and thank you :) 08:36 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 08:37 < pie__> Is there a way to add an arbitrary lan ip to the vpn? 08:37 < pie__> So for example I could access 192.168.1.43 via 10.3.0.14 or somesuch 08:38 < pie__> this is on the server lan 08:40 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 08:46 <@ecrist> dvl: ping - I replied to your email, update to ssl-admin in the pipe 08:46 < dvl-_> checking... 08:49 -!- plaisthos [~arne@kamera.blinkt.de] has quit [Changing host] 08:49 -!- plaisthos [~arne@openvpn/developer/plaisthos] has joined #openvpn 08:49 -!- ServerMode/#openvpn [+v plaisthos] by verne.freenode.net 08:49 -!- mode/#openvpn [-v plaisthos] by ChanServ 08:49 < dvl-_> updating 08:49 -!- Porkepix [~Porkepix@lns-bzn-55-82-255-140-221.adsl.proxad.net] has quit [Ping timeout: 255 seconds] 08:51 -!- plaisthos [~arne@openvpn/developer/plaisthos] has quit [Changing host] 08:51 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 08:51 -!- mode/#openvpn [+o plaisthos] by ChanServ 08:51 <@ecrist> EugeneKay: ping - please contact mattock when you've time 08:51 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 08:53 < EugeneKay> Mrh 08:53 < EugeneKay> Like, by email? 08:54 * plaisthos can now no longer hide as "just a visitor without op/voice" 08:54 <@ecrist> lol 08:54 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 08:54 <@ecrist> EugeneKay: IRC/PM or email - he has a present for you 08:54 < EugeneKay> If he needs my address, `whois eugenekay.com` 08:55 <@ecrist> kk 08:55 < |Mike|> lol 08:55 <@ecrist> is your shirt size listed there, too? 08:55 < EugeneKay> Possibly, but XL is fine. 08:55 < |Mike|> xs! 08:56 -!- mode/#openvpn [+v EugeneKay] by ChanServ 08:56 <+EugeneKay> I must have reconnected at some point. I knew something was missing 08:56 <@mattock> EugeneKay: roger that 08:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: Changing server] 08:57 <+EugeneKay> <3 08:59 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 08:59 -!- mode/#openvpn [+o plaisthos] by ChanServ 09:22 < dvl-_> ecrist : typo in 1.0.5, see email 09:24 -!- StFS [~stefan@gagnasetur.ru.is] has left #openvpn [] 09:24 <@ecrist> *grumble* 09:25 <@ecrist> ah, that's relatively minor, though. 09:26 < dvl-_> yeah... but it's conifiguration... ;) 09:36 < dvl-_> ecrist: Am I correct in seeing that the question: Can I move signing request (supernews.example.org.csr) to the csr directory for archiving? (y/n): ===> supernews.example.org.csr moved. 09:36 < dvl-_> ... is always ignored? I don't recall answering that question. 09:38 <@ecrist> in 1.0.5 it's answered as 'y' automatically when you use option 4 09:39 < dvl-_> Good. 09:39 <@ecrist> dvl-_: the config filename typo - been around for nearly 4 years in that state, you're the first to mention it 09:40 <@ecrist> not anticipating a flood of email 09:40 <@ecrist> ;) 09:41 < dvl-_> It's not been written up on FreeBSD Diary before. ;) 09:43 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 09:44 <@ecrist> heh 09:49 < dvl-_> ecrist: I ran 1.0.5 and updated the post with the new 'screen shots'. 09:49 -!- manitu [~Thunderbi@h-213.61.163.68.host.de.colt.net] has quit [Quit: manitu] 09:52 <@ecrist> did the rest of my notes make sense? 09:56 <@ecrist> dvl-_: on freebsd, if you're using the openvpn port install, you can just use relative pathing the config 09:57 <@ecrist> so, if you're putting your keys in /usr/local/etc/openvpn/keys, you can just have keys/ca.crt, etc 09:57 <@ecrist> the openvpn rc script adds the --cd option to the startup, and makes /usr/local/etc/openvpn the pwd 09:58 < dvl-_> ecrist: which will make chroot easier.... 10:01 < dvl-_> ecrist: I've made that note in the post. 10:10 < dvl-_> ecrist: OK, ready to publish. Schedule for 9pm tonight. 10:10 <@ecrist> neat! 10:12 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 10:16 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn ["WeeChat 0.3.9.2"] 10:17 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 10:17 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn [] 10:17 < dvl-_> OK, heading over to EFNET for some ports work... 10:17 -!- dvl-_ [~dan@pool-71-162-210-170.phlapa.fios.verizon.net] has quit [Quit: Killed (einride (Requested by panasync))] 10:21 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 10:21 -!- master_of_master [~master_of@p57B556D3.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:23 -!- master_of_master [~master_of@p57B54F45.dip.t-dialin.net] has joined #openvpn 10:27 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 10:36 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 10:47 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 11:03 -!- raidz_away is now known as raidz 11:12 -!- nikoc31337 [~maniac@adsl-26.176.58.244.tellas.gr] has quit [] 11:15 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has joined #openvpn 11:15 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has quit [Changing host] 11:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:19 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:21 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 11:24 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:24 -!- mode/#openvpn [+o krzee] by ChanServ 11:35 -!- Rolybrau [noident@unaffiliated/rolybrau] has joined #openvpn 11:43 -!- Rolybrau [noident@unaffiliated/rolybrau] has quit [Quit: Rolybrau] 11:57 -!- naquad [~naquad@82.146.43.183] has left #openvpn ["Ухожу я от вас"] 12:00 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has joined #openvpn 12:10 -!- torkelatgenet [~torkelatg@38.84-234-168.customer.lyse.net] has joined #openvpn 12:11 < torkelatgenet> Hello, i am trying to configure an openvpn client on my android, how should i do that? 12:11 < torkelatgenet> should i post my server config? 12:15 <@krzee> !android 12:15 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If running cyanogenmod, openvpn and busybox are already installed for you! or (#3) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the 12:15 <@vpnHelper> market 12:25 < torkelatgenet> ! 12:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 12:31 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:58 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 13:20 <@dazo> torkelatgenet: if you already got a working config for a computer ... you basically just need to dump the config and additional files to the SD storage and can import it from there 13:20 <@dazo> iirc 13:20 <@krzee> ^^ yep 13:42 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 13:43 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds] 13:49 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 13:50 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 14:11 < videl> Do you guys happen to have a documentation or a lesson on TCP/IP Routing ? I found one on Google, but wondered if you guys use a special one 14:11 <+pekster> !tcpip 14:11 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 14:11 < videl> Ah, thanks 14:17 -!- brute11k [~brute11k@89.249.230.141] has quit [Ping timeout: 260 seconds] 14:21 -!- raidz is now known as raidz_away 14:23 -!- raidz_away is now known as raidz 14:38 -!- i7c [~i7c@212.47.190.111] has joined #openvpn 14:38 < i7c> what to use, easy-rsa 1.0 or 2.0? 14:42 <@krzee> 2.0 14:42 <@krzee> !easy-rsa 14:42 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Download easy-rsa from git hub at https://github.com/OpenVPN/easy-rsa 14:43 < i7c> thx 14:48 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Ping timeout: 248 seconds] 14:49 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has joined #openvpn 14:54 <@ecrist> 2.0 14:54 <@ecrist> or, ssl-admin 14:54 <@ecrist> new version released today 14:54 -!- d1gital [~d1gital@fsf/member/d1gital] has joined #openvpn 14:55 < d1gital> what do the W's in the output mean at verb 5? 14:57 <@dazo> d1gital: that a write operation is happening on either the tun/tap device or the TCP/UDP socket ... All 'w' are the "other" socket (TCP/UDP or tun/tap) ... but I always forget and mix which is which 14:57 <@dazo> d1gital: it's the same with R/r too 14:58 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 15:00 -!- dazo is now known as dazo_afk 15:00 < d1gital> dazo: I see. 15:01 < d1gital> Only my client reports "Initialization sequence completed", and my server does not. 15:01 < d1gital> after that, the client says "Invalid argument (code=22)", and the server just prints some W's 15:11 <@plaisthos> d1gital: educated guess,dev tun vs dev tap 15:15 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 15:18 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has joined #openvpn 15:18 -!- ade_b [~Ade@koln-5d817780.pool.mediaWays.net] has quit [Changing host] 15:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:30 < i7c> how to prevent openvpn from doing that double-ip thingy? my clients all have an ip and a "destination"... i think that was something necessary on windows 15:30 < i7c> i dont want it tho 15:30 < ngharo> !topology 15:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 15:31 < ngharo> so you want 'topology subnet' 15:31 < ngharo> instead of the /30 15:31 < ngharo> !/30 15:31 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 15:31 < i7c> will read, thanks 15:34 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:36 -!- MeanderingCode [~Meanderin@199.254.238.250] has joined #openvpn 15:49 < i7c> is there an option to "push nothing" to the client? so that i can freely configure my routing table manually? 15:49 <+rob0> uh ... don't use "push" on the server side if you want to push nothing 15:50 <+rob0> you might also be interested in: 15:50 <+rob0> --route_nopull 15:51 < i7c> might be what i'm looking for. i dont use push at all but it still adds the default routes for the tun device 15:51 < i7c> which is no problem but i like it clean ;) 15:56 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 15:56 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 15:56 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 15:56 -!- mode/#openvpn [+o krzee] by ChanServ 16:08 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 16:09 <+EugeneKay> ecrist mattock - who is paying for the shirts, anyway? Just donation slush fund? 16:20 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Quit: Ex-Chat] 16:21 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:21 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 16:29 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:39 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 16:54 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Quit: Ex-Chat] 17:12 -!- torkelatgenet [~torkelatg@38.84-234-168.customer.lyse.net] has quit [Ping timeout: 272 seconds] 17:22 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 17:22 -!- mode/#openvpn [+v s7r] by ChanServ 17:30 -!- d1gital [~d1gital@fsf/member/d1gital] has quit [Quit: Lost terminal] 17:31 -!- MeanderingCode [~Meanderin@199.254.238.250] has quit [Ping timeout: 276 seconds] 17:38 -!- liviusfuscus [~liviusfus@79.118.217.119] has joined #openvpn 17:39 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Ping timeout: 264 seconds] 17:52 -!- liviusfuscus [~liviusfus@79.118.217.119] has quit [Ping timeout: 276 seconds] 17:52 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds] 17:58 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 18:00 -!- MeanderingCode [~Meanderin@c-68-84-147-239.hsd1.nm.comcast.net] has joined #openvpn 18:09 -!- MeanderingCode_ [~Meanderin@97-123-172-69.albq.qwest.net] has joined #openvpn 18:09 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:10 -!- MeanderingCode [~Meanderin@c-68-84-147-239.hsd1.nm.comcast.net] has quit [Ping timeout: 240 seconds] 18:24 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:28 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 18:36 -!- HyperGlide [~HyperGlid@222.211.121.189] has joined #openvpn 18:39 -!- Denial [Denial@92.239.45.77] has quit [] 18:40 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 18:41 -!- HyperGlide [~HyperGlid@222.211.121.189] has quit [Ping timeout: 252 seconds] 18:45 -!- Yawa is now known as F^4 19:01 -!- MeanderingCode_ [~Meanderin@97-123-172-69.albq.qwest.net] has quit [Ping timeout: 276 seconds] 19:05 -!- HyperGlide [~HyperGlid@182.151.60.13] has joined #openvpn 19:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds] 19:22 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 276 seconds] 19:29 -!- chrisb [~chrisb@c-71-224-139-141.hsd1.nj.comcast.net] has joined #openvpn 19:34 -!- chrisb [~chrisb@c-71-224-139-141.hsd1.nj.comcast.net] has quit [Ping timeout: 260 seconds] 19:50 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:53 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 20:13 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 248 seconds] 20:23 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has joined #openvpn 20:27 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 20:38 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has joined #openvpn 20:39 < plut0> this the correct channel for adito support? 20:43 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 20:43 -!- videl_ [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 20:44 -!- Netsplit *.net <-> *.split quits: kloeri, cm_, chrisb, Saviq, videl 20:47 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 20:48 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Ping timeout: 252 seconds] 20:50 < plut0> anyone? 20:55 < chrisb> yes? 20:56 < plut0> this the correct channel for adito support? 20:57 < chrisb> plut0: ? openvpn 21:00 < plut0> this differ from openvpn-als? 21:01 <+EugeneKay> !as 21:01 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 21:01 <+rob0> openvpn-als? is that Lou Gehrig's openvpn? 21:02 < plut0> http://sourceforge.net/projects/openvpn-als/ 21:02 <@vpnHelper> Title: OpenVPN ALS | Free software downloads at SourceForge.net (at sourceforge.net) 21:03 < plut0> am i in the wrong place? 21:08 <+rob0> If mattock is the same one as from OpenVPN ALS, you're probably in the right place. 21:08 <+rob0> but I know nothing about OpenVPN ALS 21:08 < plut0> mattock? 21:14 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 21:20 -!- Saviq [~Saviq@sawicz.net] has joined #openvpn 21:30 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 21:48 -!- plut0 [~cory@pool-96-236-43-69.albyny.fios.verizon.net] has left #openvpn [] 22:26 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:26 -!- mode/#openvpn [+o krzee] by ChanServ 22:30 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 22:33 <+pekster> i7c: You might also look at --route-noexec which doesn't add any routes and passes them as env-vars to a script defined by --route-up. Using subnet topology you need the local subnet as a route to simply reach the peer or other clients on the network 23:21 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has joined #openvpn 23:31 -!- amir_ [~amir@unaffiliated/amir] has quit [Ping timeout: 246 seconds] 23:34 -!- amir_ [~amir@unaffiliated/amir] has joined #openvpn 23:39 -!- amir_ [~amir@unaffiliated/amir] has quit [Ping timeout: 248 seconds] --- Day changed Fri Jan 04 2013 00:08 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 00:10 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 00:14 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 00:20 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 00:29 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Ping timeout: 240 seconds] 00:31 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 265 seconds] 00:32 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 276 seconds] 00:33 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 00:33 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 00:34 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 00:45 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 00:58 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 01:06 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 252 seconds] 01:12 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 01:22 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 01:23 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer] 01:37 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 272 seconds] 01:39 -!- Devastator [~devas@186.214.111.210] has joined #openvpn 01:51 -!- Devastator [~devas@186.214.111.210] has quit [Changing host] 01:51 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 02:01 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Quit: Leaving] 02:33 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 02:34 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has quit [Quit: leaving] 02:38 -!- fluter [~fluter@fedora/fluter] has quit [Quit: Leaving] 02:50 -!- mattock is now known as mattock_afk 03:01 -!- mattock_afk is now known as mattock 03:05 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 03:05 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 244 seconds] 03:05 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 244 seconds] 03:05 -!- kirin` [telex@gateway/shell/anapnea.net/x-vxqssktuziclmllz] has quit [Ping timeout: 244 seconds] 03:06 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 244 seconds] 03:06 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 03:06 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn 03:06 -!- kirin` [telex@gateway/shell/anapnea.net/x-wmccxjlvwnkhvera] has joined #openvpn 03:06 -!- kisom [~kisom@c-75dce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn 03:10 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has quit [Quit: leaving] 03:11 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:22 -!- brute11k [~brute11k@89.249.235.177] has joined #openvpn 03:45 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 03:54 -!- m0sphere` [~m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 03:55 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 03:55 -!- MeanderingCode [~Meanderin@75-173-14-154.albq.qwest.net] has quit [Read error: Operation timed out] 03:58 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 03:59 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has quit [Ping timeout: 276 seconds] 04:00 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has joined #openvpn 04:07 -!- ag4ve [~ag4ve@96.26.67.194] has quit [Ping timeout: 245 seconds] 04:18 -!- kloeri_ is now known as kloeri 04:19 -!- ag4ve [~ag4ve@96.26.67.194] has joined #openvpn 04:33 -!- Saviq [~Saviq@sawicz.net] has quit [Changing host] 04:33 -!- Saviq [~Saviq@canonical/saviq] has joined #openvpn 04:40 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 04:58 -!- HyperGlide [~HyperGlid@182.151.60.13] has quit [Remote host closed the connection] 04:58 -!- ade_b [~Ade@koln-4d0b0cf7.pool.mediaWays.net] has joined #openvpn 04:58 -!- ade_b [~Ade@koln-4d0b0cf7.pool.mediaWays.net] has quit [Changing host] 04:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:04 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 05:12 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has joined #openvpn 05:12 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has quit [Changing host] 05:12 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 05:16 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 264 seconds] 05:24 -!- dazo_afk is now known as dazo 05:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:43 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:49 < Cpt-Oblivious> I got 2 networks. Both 192.168.1.x, on 1 of them I run OpenVPN, and it has 10.248.12.1 as gateway ip and hands out 10.248.12.x ip addresses. How would i get other PC's on the 192.168.1.x network of the server to be accessible for the clients that get dealt the 10.248.12.x ip addresses? I tried giving the pc's on the server side lan another IP address like 10.248.12.50 for example. But that 05:49 < Cpt-Oblivious> doesn't work. What route or something should i push to the clients / place in my server config? 06:00 <@plaisthos> You should avoid some subnet 06:01 <@plaisthos> for 2.3 you can look into client-nat 06:01 <@plaisthos> !samenetwork 06:03 <@plaisthos> !samesubnet 06:03 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change 06:03 <@vpnHelper> the subnet 06:05 < Cpt-Oblivious> Hmm 06:06 <@plaisthos> otherwise you need nat/routing rules which in most cases give more headaches then renumbering 06:06 <@plaisthos> especially since that often leads to subtile errors 06:07 < Cpt-Oblivious> I currently also have a RAS pptp vpn running. And with that I just assigned all servers in the 192.168.1.x LAN also a 10.248.11.x ip address 06:07 < Cpt-Oblivious> And that's pingable 06:07 < Cpt-Oblivious> but a friend configured that mostly, so i'm not sure if it's natting. Let's see. 06:08 < Cpt-Oblivious> Can't you just have OpenVPN act as a router for 10.248.12.x? 06:08 <@plaisthos> sure 06:08 < Cpt-Oblivious> And that if other pc's in the 192.168.1.x subnet want to connect, you can just use 10.248.12.1 as gateway for them and 10.248.something as their ip address? 06:09 <@plaisthos> but openvpn does not do the routing the computer on which openvpn runs has to do the routing 06:09 < Cpt-Oblivious> like assign that as second static ip address? 06:10 < Cpt-Oblivious> Hmmm 06:12 < Cpt-Oblivious> Can't I add like a rule on my router, that if anything in the subnet wants to reach a 10.248.12.x address, that they have to go to 10.248.12.1 which is the OpenVPN server? 06:12 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:12 < Cpt-Oblivious> And doesn't the OpenVPN server then forward it to it's clients? 06:13 <@plaisthos> yes sure 06:13 < Cpt-Oblivious> So if I'd add a rule that says 10.248.12.x -> 10.248.12.1 06:13 < Cpt-Oblivious> then i'd work? 06:13 <@plaisthos> openvpn forward to it clients whatever enters the tun device 06:14 <@plaisthos> if you give out 10.248.12.0/24 to your clients openvpn expects all of these ips to be clients 06:16 < Cpt-Oblivious> Ooh i didn't, i gave like 30 ip's to clients 06:19 <@plaisthos> You have an OpenVPN network like 10.248.12.0/27 and a normal network like 10.248.12.0/24 and are wondering why it does not work? 06:20 < Cpt-Oblivious> Uhh 06:20 < Cpt-Oblivious> I got a 192.168.1.x network 06:20 < Cpt-Oblivious> On which all servers connect to get internet 06:20 < Cpt-Oblivious> 1 of those servers, 192.168.1.146 is the OpenVPN server 06:20 < Cpt-Oblivious> The OpenVPN server has 10.248.12.1 as IP address 06:21 < Cpt-Oblivious> And gives clients IP addresses like 10.248.12.6 or 10.248.12.10 06:21 < Cpt-Oblivious> other servers on that 192.168.1.x network, like 192.168.1.141, i tried giving them also an address like 10.248.12.50, and I want clients to be able to reach that. 06:22 <@plaisthos> yeah, like I said :) 06:22 <@plaisthos> you have two different 10.248.12.0 networks 06:22 <@plaisthos> one of openvpn and one in your lan 06:22 < Cpt-Oblivious> I guess? 06:23 <@plaisthos> You should read more about routing, but for starters change one of the networks and a route for other network on both sides 06:24 < Cpt-Oblivious> I guess the part that got me confused is that I do like the exact same thing with RAS. I give clients 10.248.11.2 addresses for example, server is 10.248.11.1, and I also added 10.248.11.50 addresses as second IP on other servers. And that works 06:26 <@plaisthos> yes ras works different 06:26 <@plaisthos> ras is like a mix of tun and tap iirc 06:26 -!- mape2k-mobil [~mape2k-3@i59F78894.versanet.de] has joined #openvpn 06:26 < Cpt-Oblivious> Yea looks like that 06:33 < Cpt-Oblivious> Thanks for your advice though. I think i'm going to change the subnet serverside first. Sounds like the least painfull solution. 06:36 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 245 seconds] 06:48 -!- mape2k-mobil [~mape2k-3@i59F78894.versanet.de] has quit [Quit: Leaving] 06:48 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 06:59 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 252 seconds] 07:00 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 07:01 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 07:06 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 07:07 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 08:04 < i7c> how come my openvpn has such a bad performance compared to a ssh tunnel? it happens quite some time that the latency goes up (i open a web page and it takes like 20 seconds until i get response) also speedtests are worse. 08:04 < i7c> i use udp and no compression. 08:06 < i7c> also i noticed the server has a very high cpu usage (~60%) while the client has like 2%... ok different CPUs but still 08:12 <@dazo> i7c: depends on firewalling, routing, DNS, and if your ISPs on both server and client side have good performance over UDP ... basically your complete configuration setup .... for me VPN and SSH tunnels does not have any difference at all 08:13 < i7c> dazo: so could it even be that tcp has better performance? 08:15 <@dazo> i7c: in some cases, some ISPs really cripple UDP traffic 08:16 < i7c> oh ok. i will test this. also i could really need some tools for testing my servers network performance 08:16 <@dazo> i7c: iperf is pretty decent for that 08:16 < i7c> thanks! i'll check it out 08:16 <@dazo> it can test udp and tcp ... and you can then test it outside and inside the tunnel ... to see if it's your connection or vpn setup 08:17 <@dazo> which is troubling you 08:17 * dazo heads out for a while 08:17 < i7c> :) 08:17 < i7c> awesome 08:17 < i7c> thanks 08:17 < i7c> till then 08:33 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 08:44 < i7c> okay so my performance in via openvpn is way worse, but udp is still better... what else could i tweak? 08:49 -!- Porkepix [~Porkepix@lns-bzn-29-82-248-243-164.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 08:51 -!- Porkepix [~Porkepix@83.159.5.235] has joined #openvpn 08:59 -!- brute11k [~brute11k@89.249.235.177] has quit [Read error: Connection reset by peer] 09:08 -!- ExxKA [ExxKA@nat/google/x-yeotbtxjhaaupbng] has joined #openvpn 09:08 -!- cpm [~Chip@216.169.175.102] has joined #openvpn 09:08 -!- cpm [~Chip@216.169.175.102] has quit [Changing host] 09:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 09:09 < ExxKA> Hey Guys. I have a problem where my VPN connection is dropped after about 1 hour. I am using TunnelBlick. I know you are not a tunnelblick support channel but I thought you may have an idea? 09:10 <@ecrist> what's the error 09:16 -!- brute11k [~brute11k@89.249.235.177] has joined #openvpn 09:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 248 seconds] 09:24 < ExxKA> ecrist, there is no error, other than traffic routed through the vpn never makes it (after the 1 hour) 09:24 < ExxKA> The connect seems to be active, but in practice it is not 09:25 < ExxKA> I have been thinking that maybe it is a timeout setting on the dns settings or routes used? 09:25 < ExxKA> Or maybe a parameter server side? To be honest I do not use the routes very often as they only lead to my git repository 09:26 < ExxKA> So it may be that it's a timeout because I have not used the connection. I would just think that the connection was still kept alive? 09:28 <@ecrist> ExxKA: what do your openvpn logs indicate? If you're using UDP for the VPN, you might be hitting a UDP state timeout on a router/firewall (yes, I know, UDP is stateless) 09:28 <@ecrist> do you have a keepalive in the openvpn configuration? 09:29 < ExxKA> Good question. Do you know where the logs reside? 09:29 <@ecrist> !logs 09:29 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:29 < ExxKA> !logfile 09:29 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 09:29 < ExxKA> Hmm ok 09:30 < ExxKA> No I have no keep alive setting 09:30 < ExxKA> That may be it! 09:32 < ExxKA> Nope. 09:32 < ExxKA> It seems that by default keep alive is forever 09:32 < ExxKA> or --inactive 0 :) 09:33 <@ecrist> so, you need to add a keepalive 09:33 <@ecrist> usually --keepalive 5 10 or so is more than sufficient 09:33 <@ecrist> or even 10 60 09:33 < ExxKA> can I add it to any of the lines in my configuration file? 09:34 <@ecrist> it's a new line 09:34 < ExxKA> I suppose it will just be "keepalive 10 60" on a line by itself? 09:34 <@ecrist> yup 09:34 < ExxKA> Thanks 09:34 < ExxKA> I will give it a go :) 09:37 <@dazo> i7c: You might learn a few tricks here ... https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux 09:37 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net) 10:21 -!- master_of_master [~master_of@p57B54F45.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B52EA2.dip.t-dialin.net] has joined #openvpn 10:30 < kisom> Made my computers lock their screens when OpenVPN disconnects 10:31 <+hazardous> o_O 10:31 < kisom> It's quite nice in fact. Imagine if someone stole the machine. 10:31 < kisom> Then they wouldn't have access to my files any more. 10:33 <@ecrist> all because of a screen lock 10:34 <+hazardous> yolo 10:46 < kisom> ecrist: And full disk encryption. 11:12 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:12 -!- mode/#openvpn [+o krzee] by ChanServ 11:32 <@plaisthos> kisom: does your notebook have pcexpress card? 11:32 <@plaisthos> or thunderbolt? 11:35 <@krzee> MacBookPro CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [SSE3/SSSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/VT/EST/OctaCore] L3: 4MB QPI: 4.8 GT/s RAM: 3.2GB/8.0GB swap: 0.00M/64.00M Disk: 167.48GB/173.85GB GPU: NVIDIA GeForce GT 330M & Intel HD Graphics [512 MB & 288 MB/Stock] 1920x1200 OS: Mac OS X 10.7.5 (11G63) Kernel: 11.4.2 Arch: 64 Bit 11:38 <@krzee> mine has an expresscard slot 11:44 <@plaisthos> yeah, full disc encryption is compromised by these extensions 11:44 <@plaisthos> since you get dma capabilties and read the full memory of the notebook 11:45 <@plaisthos> (if the notebook is on of course) 11:45 <@plaisthos> this btw. is the reason why xbox 360 processor has embedded ram on the cpu die to keep the keys from going into main memory 11:46 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 11:47 < chrisb> plaisthos: good details 11:49 <@plaisthos> never underestimate your attackers :) 11:50 <@plaisthos> last time I check (about 3 years ago) you could dump a macbooks memory with firewire 11:50 <@plaisthos> and firewire is cheap and freebsd even has a dev/firewire mem device to make this easy for you .... 12:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 12:12 <@ecrist> kisom: screen lock doesn't do anything with disk encryption 12:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:15 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 12:22 -!- miha [~miha@unaffiliated/miha] has joined #openvpn 12:23 < miha> trying to configure windows openvpn client. i use vpn as gateway, think i need to set dns too 12:23 < miha> i'm pretty sure server pushes dns, but windows client so far ignores it? 12:24 <@dazo> miha: nope ... windows clients does not ignore it ... make sure you use --push "dhcp-option $DNS_IP" in your server config 12:25 -!- st0_ [~lenov@125.163.239.88] has joined #openvpn 12:25 < miha> i have it without -- ? 12:26 < miha> push "dhcp-option DNS 193.xxx...." 12:27 < miha> works on ubuntu client 12:27 < Cpt-Oblivious> plaisthos, we're changing the server side subnet from 192.168.1.0/24 to 192.168.0.0/24 now. 12:27 <+pekster> miha: You should see that DNS server under the TAP-Win32 adapter if you do 'ipconfig /all' in a prompt 12:27 < Cpt-Oblivious> Had to wait for my friend to come online. Server is hosted at his home network since he has 100/100 mbps fiber. 12:30 < miha> pekster: you're right. dns is there. default gateway isnt 12:30 -!- ExxKA [ExxKA@nat/google/x-yeotbtxjhaaupbng] has quit [Quit: This computer has gone to sleep] 12:31 -!- st0_ [~lenov@125.163.239.88] has quit [Quit: st0_] 12:31 < miha> what is command to use vpn as gateway?? 12:32 < miha> i googled forum posts 12:32 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 12:33 < miha> redirect-gateway ? 12:34 -!- st0 [~Lenovo@125.163.239.88] has joined #openvpn 12:35 -!- dazo is now known as dazo_afk 12:37 -!- st0 [~Lenovo@125.163.239.88] has quit [Client Quit] 12:39 -!- st0 [~Lenovo@125.163.239.88] has joined #openvpn 12:42 -!- bauruine_ [~stefan@91.236.116.112] has quit [Remote host closed the connection] 12:44 -!- F^4 [~FFForever@unaffiliated/ffforever] has left #openvpn [] 12:59 -!- miha [~miha@unaffiliated/miha] has left #openvpn [] 13:00 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has quit [Quit: bye] 13:01 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:09 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 13:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 13:21 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Quit: Ex-Chat] 13:22 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 13:34 -!- st0 [~Lenovo@125.163.239.88] has left #openvpn ["Leaving"] 13:43 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 13:56 < Cpt-Oblivious> Miha, it is indeed the redirect-gateway one. 14:00 < Cpt-Oblivious> Hmm.... All pc's in my subnet can ping all VPN clients. 14:00 < Cpt-Oblivious> But the VPN clients can only ping the OpenVPN server, what setting am I missing? 14:01 <+pekster> Cpt-Oblivious: What is it you want? Clients to reach other clients, or the LAN? and is the LAN behind the VPN server or a client? 14:02 <@ecrist> !goal 14:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:03 < Cpt-Oblivious> At the moment i I got a 192.168.0.x LAN, in which the OpenVPN server is situated. Clients connect from a 192.168.1.x LAN. They get assigned an ip address out of the 10.248.12.x pool. 192.168.0.146 / 10.248.12.1 is the OpenVPN server. Right now, all clients can connect and can ping both ip addresses of the OpenVPN server. They can how ever not ping any other 192.168.0.x ip address. All other 14:03 < Cpt-Oblivious> servers in the 192.168.0.x subnet can ping every 10.248.12.x client though. 14:04 < Cpt-Oblivious> I've got IP forwarding enabled on the OpenVPN server. So that can't be it. 14:05 <+pekster> Sounds like a firewall issue to me, unless you're performing SNAT on traffic bound for the VPN network 14:05 < Cpt-Oblivious> A firewall issue on the OpenVPN server then I guess? 14:06 < Cpt-Oblivious> All clients from 192.168.0.x just talk to their gateway, 192.168.0.1 and that gateway tells them that they can find 10.248.12.x people at 192.168.0.146 (the open vpn server). And that works beautifully. 14:06 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 14:06 < Cpt-Oblivious> The communication in the other way isn't working though. The vpn clients try to talk to 192.168.0.x pc's. But the OpenVPN server isn't forwarding those requests to the router. 14:06 < Cpt-Oblivious> It only answers when asked on it's own 192.168.0.146 address. 14:08 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Read error: Connection reset by peer] 14:09 <+pekster> So: are you using NAT? 14:09 < Cpt-Oblivious> Not that i'm aware of. 14:09 <+pekster> Clearly routing is working fine since the reply from the VPN clients makes it back to the server-side LAN systems 14:09 < Cpt-Oblivious> The OpenVPN server should just forward all 192.168.0.x requests to the router / gateway and then all will be fine. 14:09 <+pekster> So, you're left with a firewall 14:09 <+pekster> What OS? 14:09 < Cpt-Oblivious> Ubuntu 12.04 14:10 <+pekster> Can you pastebin the output of 'iptables-save' ? 14:10 < Cpt-Oblivious> ofc, sec 14:11 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 14:11 < Cpt-Oblivious> that outputs nothing 14:11 < Cpt-Oblivious> I can show you what iptables--list outputs though? 14:12 <+pekster> If you have any firewall rules, 'iptables-save' dumps them in the most usable format for diagnostic purposes. How does it show you "nothing" ? 14:12 < Cpt-Oblivious> I did that in the command line and it doesn't output anything 14:12 < Cpt-Oblivious> it just executes it 14:12 < Cpt-Oblivious> or do i have to go to some file where the rules get saved into? 14:13 -!- Guest31276 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 14:13 < Cpt-Oblivious> www.pastebin.com/ZzqEEEyC 14:13 <+pekster> As root? '/sbin/iptables-save' should never output nothing unless you don't have iptables support in your kernel :\ 14:13 <+pekster> Ah, okay, so you literally have no filtering, got it 14:13 < Cpt-Oblivious> ah, i didn't run it as root 14:13 < Cpt-Oblivious> now i get output 14:14 < Cpt-Oblivious> www.pastebin.com/j0tHFwjG 14:14 <+pekster> Well, the output you just gave works too (iptables-save is just easier to read than any 'iptables' output, but your rules are fully empty and accept all traffic.) 14:15 <+pekster> So, I'm left wondering if the clients themselves are the ones dropping the traffic. If you can ping from a LAN client on 192.168.0/24 to a VPN client on 10.248.12/24, you know routing and firewalls are permissive of that traffic 14:15 < Cpt-Oblivious> yea 14:15 < Cpt-Oblivious> that works 14:15 <+pekster> Try a tcpdump on the VPN server's LAN iface as you ping from VPN client to server. You should see an echo-request go out to the client LAN IP, then an echo-reply come back 14:16 <+pekster> My guess is you only see the request, not the reply. The solution there is to fix the LAN client's firewall to allow the request 14:16 < Cpt-Oblivious> So I start a ping -t towards any of the 192.168.0.x clients except for the server since that one works 14:16 < Cpt-Oblivious> and then do a TCP dump? 14:16 <+pekster> Erm, ping from the client to the LAN system, I mean 14:16 < Cpt-Oblivious> yea 14:16 < Cpt-Oblivious> that's that 14:17 < Cpt-Oblivious> the clients got 192.168.1.x natively. And get a 10.248.12.x assigned. So i ping from 10.248.12.x towards any of the 192.168.0.x computers on the server side. Except for 192.168.0.146 since that is the OpenVPN server and that works. 14:18 <+pekster> That's the issue you started with, right? So you're still not getting replies? What does the tcpdump show you? 14:18 < Cpt-Oblivious> ooh 14:18 < Cpt-Oblivious> I have an idea 14:19 <+pekster> Assuming eth0 is your LAN iface on the server, 'tcpdump -pnvi eth0 icmp' will show you want you want 14:19 < Cpt-Oblivious> Shouldn't I have something in my client config which tells my client that if i want to talk to 192.168.0.x people that i have to forward everything to 10.248.12.1 / 192.168.0.146 (the open VPN server) 14:19 < Cpt-Oblivious> shouldn't there be a static route like 192.168.0.0/24 to 10.248.12.1 or something? 14:20 <+pekster> You must already have that if your LAN network client's can ping 10.248.12/24 directly 14:20 <+pekster> Yes, there should. Unless you've mis-stated your problem in your original description, you already have that 14:20 < Cpt-Oblivious> I don't have that :P 14:20 < Cpt-Oblivious> and it works :P 14:21 < Cpt-Oblivious> The only thing i did is add a router on my gateway on the server side. Which tells all 192.168.0.x computers that if they want to chat to a 10.248.12.x vpn client, that they have to go to the 192.168.0.146 ip of the server. 14:21 < Cpt-Oblivious> I physically added that on the router. 14:21 <+pekster> Okay, then you made a mistake when you said "All other servers in the 192.168.0.x subnet can ping every 10.248.12.x client though." 14:21 < Cpt-Oblivious> No they can. 14:21 < Cpt-Oblivious> Any 192.168.0.x server can ping any client in 10.248.12.x, they'll get replies. 14:21 < Cpt-Oblivious> the other way around just doesn't work. 14:21 <+pekster> Then you have that return route already 14:22 <+pekster> It's not a routing problem. It's a firewall problem 14:22 < Cpt-Oblivious> let me shut down the firewalls on both machines 14:22 < Cpt-Oblivious> sec 14:22 < Cpt-Oblivious> ooh it's off already :p 14:22 <+pekster> Look at it this way: the reply goes from the 10.248.12/24 network to the 192.168.0/24 network. Since you get the reply that follows that path, you can infer you have the required route already 14:23 < Cpt-Oblivious> Yea 14:23 < Cpt-Oblivious> they can reply 14:23 < Cpt-Oblivious> they just can't figure out where to start talking on their own. 14:23 <+pekster> This means routing is fine 14:23 <+pekster> So, that tcpdump? 14:23 <+pekster> What did you learn from it? 14:23 < Cpt-Oblivious> yes, let me do that. 1 sec. 14:24 < Cpt-Oblivious> but 14:24 < Cpt-Oblivious> i got the vpn as udp configured 14:24 < Cpt-Oblivious> should i make it an udp dump? 14:25 <+pekster> No. We don't care about the encrypted traffic 14:25 <+pekster> You care about pings 14:25 < Cpt-Oblivious> ok 14:25 <+pekster> So, dump icmp traffic on your LAN, just as I asked 14:26 < Cpt-Oblivious> doing that dump now 14:26 < Cpt-Oblivious> www.pastebin.com/A3hFEabS 14:28 <+pekster> Requests go out, and no replies come back. Your problem is your LAN system's firewall on 192.168.0.141 14:28 < Cpt-Oblivious> those icmp's / pings all time out. I'm trying to ping 192.168.0.141 from 10.248.12.6. 14:28 < Cpt-Oblivious> other way around works though 14:28 < Cpt-Oblivious> 192.168.0.141 is a windows server 2008r2 with the firewall disabled. 14:28 <+pekster> Apparently not 14:29 < Cpt-Oblivious> well.. it is :p 14:29 < Cpt-Oblivious> domain / private / public, all off. 14:29 <+pekster> Maybe the firewall on the LAN's default gw? 14:29 <+pekster> Somewhere a firewall is dropping the reply traffic 14:30 < Cpt-Oblivious> yea 14:30 < Cpt-Oblivious> Can i do a TCP dump on a windows server 2008r2 in command prompt or powershell? 14:30 < Cpt-Oblivious> so i can see if that one is dropping it? 14:30 <+pekster> You can install Wireshark 14:30 < Cpt-Oblivious> damn it :P 14:30 < Cpt-Oblivious> already feared that was the answer :P 14:30 < Cpt-Oblivious> ok on it. 14:31 <+pekster> That'll tell you if the 192.168.0.141 IP is even replying. If it is, then the only other system in the way is the LAN's gw system (which presumably has a firewall of its own) 14:31 <+pekster> Even if it has the route (which again, we know since traffic works the other way) it still needs to allow it 14:31 < Cpt-Oblivious> installing wireshark portable atm 14:32 < Cpt-Oblivious> done 14:33 < Cpt-Oblivious> let's see 14:33 < Cpt-Oblivious> nope 14:33 < Cpt-Oblivious> never reaches the win 2008r2 server 14:33 < Cpt-Oblivious> nothing of 10.248.12.6 in the entire capture 14:34 < Cpt-Oblivious> nothing of the openvpn server either 14:34 <+pekster> Dumping on it's LAN interface 14:34 <+pekster> ? 14:34 < Cpt-Oblivious> hmm 14:35 < Cpt-Oblivious> that filter isn't working as i thought it would 14:35 < Cpt-Oblivious> running capture again 14:35 <+pekster> Just do 'icmp' as your capture filter 14:35 <+pekster> (same as for tcpdump_ 14:35 <+pekster> And make sure the correct interface is used 14:35 < Cpt-Oblivious> ah 14:35 < Cpt-Oblivious> I see 2 packets 14:36 < Cpt-Oblivious> 10.248.12.6 as source 14:36 < Cpt-Oblivious> destination 192.168.0.141 14:36 < Cpt-Oblivious> ping request 14:36 < Cpt-Oblivious> icmp 14:36 < Cpt-Oblivious> about 5 seconds in between, about the time between icmp time outs 14:36 <@plaisthos> no ping reply? 14:37 <+pekster> If you don't see any reply traffic, then your local system is not generating any replies 14:37 <+pekster> That 192.168.0.141 system isn't also on the VPN network, is it? 14:37 <+pekster> (that would screw things up) 14:37 < Cpt-Oblivious> nope it isn't. 14:37 <+pekster> Then it's a local firewall ;) 14:37 < Cpt-Oblivious> that 192.168.0.146 is the OpenVPN server. 192.168.0.141 is the file server. 14:38 < Cpt-Oblivious> ooh 14:38 < Cpt-Oblivious> i see ping replies as well 14:38 < Cpt-Oblivious> source: 192.168.0.141 to 10.248.12.6 14:38 <+pekster> Then repeat the same procedure on the LAN's gateway, because that reply is never making it to the VPN server 14:38 < Cpt-Oblivious> eccho (ping) reply 14:39 <@plaisthos> Cpt-Oblivious: look at the mac addresses of icmp request and icmp reply 14:39 <@plaisthos> they should be the same in reverse order 14:39 <+pekster> plaisthos: Not in this case, because the VPN server is attached to the LAN but not the LAN's default gw 14:39 <@plaisthos> pekster: oh okay 14:40 <@plaisthos> so the lan default gw has a route going back to the vpn server? 14:40 <+pekster> Yup. Pings work the other way around 14:40 < Cpt-Oblivious> the ping reply is like instantly generated 14:40 <@plaisthos> nevermind then 14:40 <+pekster> So now it looks like the LAN gw is the firewall having problems 14:40 < Cpt-Oblivious> time of ping request: 1.45023600 14:40 <+pekster> Cpt-Oblivious: Check/fix your firewall on the gateway of your LAN 14:40 < Cpt-Oblivious> time of ping reply: 1.4503500 14:41 < Cpt-Oblivious> Hmmm 14:41 <@krzee> can be verified by bypassing the gw for a lan machine 14:41 < Cpt-Oblivious> how would i do that? 14:41 <@krzee> if it works then, then its for sure the gw's fault 14:41 <@krzee> its explained in: 14:41 <@krzee> !route 14:41 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 14:41 <@krzee> under ROUTES OUTSIDE OPENVPN 14:42 <+pekster> Add a route on 192.168.0.141 that routes 10.248.12/24 via 192.168.0.146 14:42 <@krzee> "the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work." 14:42 <@krzee> ya that ^ 14:42 < Cpt-Oblivious> I got that pekster 14:42 <+pekster> (that's really a hack, but it'll identify the LAN gw as your problem without a doubt) 14:42 <@krzee> exactly 14:42 <+pekster> Unless you like manual routes on an entire subnet :P 14:42 <+pekster> More interns! 14:43 <@krzee> hahah 14:43 < Cpt-Oblivious> on my router / gateway I got a '10.248.12.0 with 255.255.255.0 to 192.168.0.146' static route. 14:43 <+pekster> Fix your *firewall*. Not routing ;) 14:43 <@krzee> right, if you add that to a host machine on the lan it will bypass the gw, and if that works we know 100% you need to fix your gw 14:43 < Cpt-Oblivious> ah 14:43 < Cpt-Oblivious> i understand what you're getting at 14:44 -!- brute11k [~brute11k@89.249.235.177] has quit [Quit: Leaving.] 14:44 < Cpt-Oblivious> netstat something was that 14:44 < Cpt-Oblivious> let me google it 14:44 <@krzee> google what!? 14:44 <@plaisthos> pekster: or crazy setup like sending unsolicated icmp redirects 14:44 < Cpt-Oblivious> how to add a static route again via netstat to a win2008r2 server 14:44 <+pekster> the 'route.exe' command will add routes 14:44 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 14:44 <+pekster> 'route /?' should give you usage syntax 14:44 < Cpt-Oblivious> ah 14:44 < Cpt-Oblivious> yea i see 14:44 <@krzee> route add 10.248.12.0 mask 255.255.255.0 192.168.0.146 14:44 <+pekster> plaisthos: I didn't know people still accepted redirects :P 14:44 <@plaisthos> krzee: you know: irc is just a google frontend with more insults 14:45 <@krzee> lol 14:45 < Cpt-Oblivious> done 14:45 <+pekster> And sometimes really bad advise (wait, google does that too!) 14:45 <@krzee> but we predate google! 14:45 < Cpt-Oblivious> ZOMG 14:45 < Cpt-Oblivious> it works 14:45 < Cpt-Oblivious> fuck you firewall on router 14:45 <@krzee> there, no go fix your router :D 14:45 <+pekster> Why don't you fix it then? 14:45 <@krzee> now* 14:45 <@plaisthos> pekster: i think most modern OSes still accept them 14:45 < Cpt-Oblivious> Damn Asus RT-N66U 14:46 <@plaisthos> pekster: there is no local lan security anyway :) 14:46 <@plaisthos> (icmp redirects from their default gw that is) 14:46 <+pekster> M&M security baby! (do it in an Austin Powers voice for best results) 14:46 < Cpt-Oblivious> hmmm 14:46 < Cpt-Oblivious> maybe that static route on the router 14:46 < Cpt-Oblivious> should that be added on the WAN port? 14:46 < Cpt-Oblivious> instead of the LAN port 14:46 <@krzee> pekster, most can be dns poisoned as well 14:46 < Cpt-Oblivious> could that be it? 14:47 <+pekster> Sure. TLS or die 14:47 < Cpt-Oblivious> or on the 'MAN' port w/e the hell that is 14:47 <+pekster> Cpt-Oblivious: YOu probably have a 'firewall' tab somewhere 14:47 < Cpt-Oblivious> yea i do 14:47 < Cpt-Oblivious> it's all turned off 14:47 <@krzee> is it running linux? 14:47 < Cpt-Oblivious> it's an Asus RT-N66U 14:47 < Cpt-Oblivious> just a web interface 14:47 <@krzee> ya i dunno 14:48 < Cpt-Oblivious> Firewall, no, DoS protection, no, Respond to ping requests from WAN, yes. Url filter, off, keyword filter, off. Network services filter, off. 14:48 < Cpt-Oblivious> that's about all the firewall stuff i got. 14:48 <+pekster> You should be able to download a manual online that'll tell you how to add a firewall rule 14:48 < Cpt-Oblivious> i know where to add firewall rules 14:48 < Cpt-Oblivious> but the firewall on that thing is completely off 14:48 <@krzee> probably gotta specifically allow something 14:48 < Cpt-Oblivious> what kind of rule would you suggest i add? 14:48 <+pekster> You need something to the effect of '-A FORWARD -s 192.168.0.0/24 -d 10.248.12.0/24 -i $lan_if -o $lan_if' in iptables-save syntax 14:49 <@krzee> it says off, but if it was off it would not do NAT 14:49 <+pekster> However you do that in your WebUI, that's for you to figure out 14:49 <@krzee> so its obviously on, but your optional additions are off 14:49 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 14:49 <@krzee> pekster, that would have failed on my dd-wrt, it has a rule at the end already blocking stuff, i had to use -I 14:50 <+pekster> iptables-save does not know '-I' 14:50 <@krzee> ahh 14:51 < Cpt-Oblivious> no idea why that router is being a dick 14:51 -!- Guest31276 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Quit: Don't flap your BGP at me sonny] 14:51 <+pekster> And that, is why I run my own OS on my routers 14:51 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 14:51 < Cpt-Oblivious> 'Disable GRO(Generic Recieve Offload)' should that be off? 14:51 <+pekster> "If you want it done right..." 14:52 <+pekster> Nope. You have a basic firewall problem. It's not even NAT because the packets never even make it to the VPN server which is responsible for the network 14:52 < Cpt-Oblivious> I agree pekster 14:52 <@plaisthos> Guest15284: interesting reverse lookup ... 14:52 < Cpt-Oblivious> when i'm getting my 500/500 mbps fiber connection vs the 100/100 mbps one now. I'm building my own PFsense box. 14:53 < Cpt-Oblivious> Would any of you guys want to have a quicklook on my gateway via Teamviewer? 14:53 < Cpt-Oblivious> maybe i'm missing something trivial 14:54 <@plaisthos> Cpt-Oblivious: probably not 14:54 <@plaisthos> your use case was not consider by the guy designing this thing 14:54 < Cpt-Oblivious> it's a 130 euro router :P 14:55 < Cpt-Oblivious> it just shouldn't block a damn thing :p 14:55 < Cpt-Oblivious> and route :p 14:56 <@plaisthos> that router can handle a 100 Mbit connection? 14:56 < Cpt-Oblivious> yea 14:56 < Cpt-Oblivious> can handle about 800 mbit of WAN traffic 14:56 < Cpt-Oblivious> it's a pretty beafy router 14:56 <@plaisthos> astonishing 14:56 < Cpt-Oblivious> we bought it like 2 months ago 14:56 < Cpt-Oblivious> because the old one crapped out around 150 mbps 14:59 <@plaisthos> You should have hired a profssional consultant. Then you probably now had a Cisco ASA for at least ten times the price :) 14:59 < Cpt-Oblivious> lol :P 14:59 < Cpt-Oblivious> I'm a 20 year old student 14:59 < Cpt-Oblivious> this is a home network :P 14:59 < Cpt-Oblivious> I study Computer Science :P 15:00 <@plaisthos> or a CISCO ASR ;) 15:00 < Cpt-Oblivious> nah :P 15:00 < Cpt-Oblivious> I don't mind building my own Pfsense box 15:00 < Cpt-Oblivious> so i can play around with snort and stuff like that 15:00 < Cpt-Oblivious> when i get the 500/500 mbps fiber 15:00 < Cpt-Oblivious> but i'm not gonna spend a fuck load of money on cisco stuff 15:00 <@plaisthos> where you from that you are able to afford a 500/500 fiber? 15:01 < Cpt-Oblivious> The Netherlands 15:01 < Cpt-Oblivious> 500/500 mbps fiber, un metered. Downloading is legal. Costs 65 usd / month 15:01 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds] 15:03 <@plaisthos> Cpt-Oblivious: I can get 16/1 MBit DSL for 20 EUR but I cannot get anything faster :/ 15:03 < Cpt-Oblivious> sucks :S 15:03 < Cpt-Oblivious> I got 50/3 mbps for something like that right now 15:04 < Cpt-Oblivious> my friend has 100/100 mbps fiber for 30-35 euro or so 15:04 < Cpt-Oblivious> and i might be moving into an appartment soon which has 500/500 for 50 euro or so 15:04 <+hazardous> nerds 15:04 <+hazardous> (also xs4all owns) 15:05 < Cpt-Oblivious> lol 15:05 < Cpt-Oblivious> no thnx :P 15:05 < Cpt-Oblivious> though xs4all fiber ain't bad 15:05 < Cpt-Oblivious> any fiber is good :P 15:06 -!- lsa [~la@pdpc/supporter/active/lsa] has joined #openvpn 15:08 < lsa> I have an OpenVPN server using UDP. Multiple clients are attempts to connect from a single IP address. There are issues getting connected/staying connected. Should this be expected with this situation? UDP + multiple clients from same NATed IP. 15:12 <@plaisthos> broken nat gw 15:12 <@plaisthos> probably 15:12 <@plaisthos> are you using nobind? 15:13 <@plaisthos> if not try again with nobind in client configs 15:19 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 15:24 < lsa> plaisthos: I'll try that, thank you. 15:24 < lsa> plaisthos: Just add "nobind" to a new line in the config file, right? 15:28 -!- Guest78377 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 15:28 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 15:34 -!- Guest78377 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 15:34 -!- Guest78377 [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 15:35 -!- Guest78377 [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny] 15:35 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 15:35 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 15:35 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 15:49 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 15:50 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 16:02 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 16:09 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 16:14 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 16:14 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 16:42 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 264 seconds] 16:50 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 16:55 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 16:57 <@plaisthos> lsa: yes 17:09 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 17:17 -!- Azrael_- [~idjfijdi@adsl-62-167-40-41.adslplus.ch] has joined #openvpn 17:17 < Azrael_-> hi 17:22 < lsa> plaisthos: it worked. thanks a lot. 17:22 < lsa> have a good weekend 17:22 -!- lsa [~la@pdpc/supporter/active/lsa] has quit [Quit: leaving] 18:03 -!- medum [kevin@2607:f2f8:a4c4::2] has joined #openvpn 18:04 < medum> hi all. how would i go about making openvpn fail open? 18:06 <+rob0> and that means ... ? 18:10 <@krzee> medum, try your translation app again =] 18:11 < medum> meaning openvpn connection dies, internet is cutoff completely. rather than reconnecting without using the vpn at all 18:11 <@krzee> !def1 18:11 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 18:11 <@krzee> dont use def1 18:12 <@krzee> def1 makes it so you stay connected without the vpn, without it openvpn does what you desire 18:14 < medum> i'm not using def1 now and it doesn't look like it's used by default either 18:17 <@krzee> then you have no route to the internet without your vpn 18:17 <@krzee> ify ou are using redirect-gateway 18:18 < medum> i just tried adding redirect-gateway without def1 to my config. but pkill openvpn still sends traffic without the vpn 18:20 <@krzee> show me your routing table while openvpn is running, and after you stop it 18:23 < medum> default 192.168.1.1 wlan0 is there in the before and after 18:24 < medum> guess it has to be 18:27 < medum> http://pastebin.com/NTKfhuzK 18:31 <+rob0> that sure looks like def1 to me 18:31 < medum> redirect-gateway is in my config 18:39 <@krzee> !configs 18:39 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 18:39 <@krzee> both 19:04 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds] 19:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:09 -!- videl_ is now known as videl 19:17 -!- Devastator- [~devas@177.18.199.7] has joined #openvpn 19:18 -!- raidz is now known as raidz_away 19:19 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 276 seconds] 19:20 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 19:31 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 19:31 -!- mode/#openvpn [+o krzee] by ChanServ 19:44 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 265 seconds] 19:46 -!- Denial- [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 19:46 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 19:47 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [Ping timeout: 252 seconds] 19:47 -!- Denial- is now known as Denial 20:04 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Remote host closed the connection] 20:04 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 20:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 20:15 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 20:15 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Client Quit] 20:24 <+hazardous> yo 20:32 -!- Devastator- [~devas@177.18.199.7] has quit [Changing host] 20:32 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 20:34 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 20:40 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 256 seconds] 20:41 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 20:48 -!- Devastator- is now known as Devastator 20:48 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 246 seconds] 21:01 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Remote host closed the connection] 21:03 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:05 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 21:28 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:43 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 21:45 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 245 seconds] 21:48 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:57 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 22:01 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Ping timeout: 255 seconds] 22:06 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 22:07 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 22:12 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 264 seconds] 22:12 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 22:12 -!- [fred] [fred@konfuzi.us] has quit [Remote host closed the connection] 22:17 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 22:17 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has left #openvpn [] 22:20 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 256 seconds] 22:21 -!- [fred] [fred@konfuzi.us] has joined #openvpn 22:24 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 23:02 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 23:08 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 23:16 -!- troy- [~troy@dcamp-bbr1.prg1.eu.tauri.ca] has joined #openvpn 23:16 < troy-> is it possible to create a point-to-point VPN with a /30 instead of /32s on each side? 23:21 <+pekster> troy-: This is what the net30 topology does. If your systems support a true PtP mode, why not use that instead? 23:23 < troy-> pekster: my endpoints are ubuntu servers configured based on the http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html tutorial 23:23 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 23:23 < troy-> how would i know whether i can support 'true PtP mode'? 23:23 <+pekster> Linux does (basically it's just Windows that can't) 23:24 < troy-> gotcha - where might i read how to make the necessary changes? 23:24 < troy-> (i prefer PSK over certificates) 23:24 <+pekster> Why? You loose perfect forward secrecy, and if your keys are ever compromised all the past encrypted sessions can be decrypted with the key 23:25 < troy-> i have a lot of tunnels :P 23:25 < troy-> so i guess my answer is simplicity of installation 23:26 <+pekster> I can't say I agree, but as long as you understand the security advantages of a TLS/DH key exchagne and don't want it, that's fine 23:27 < troy-> all the application traffic is encrypted anyway 23:28 < troy-> can you suggest where i might start reading up on the required changes? 23:29 < ngharo> !topology 23:29 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 23:31 < troy-> ngharo: so on the server side i just add directive "topology net30"? 23:32 < ngharo> net30 is the default 23:32 <+pekster> On both sides, since you can't push directives in p2p modes 23:32 < troy-> if that were the case i wouldnt have a /32 mask 23:32 < troy-> pekster: thanks 23:33 <+pekster> I'm not actually sure you can use topology net30 with --secret, but I'm looking into that now. I don't see what you're trying to do, really 23:34 <+pekster> Apparently you can (I suppose to support Windows clients) 23:34 < ngharo> troy-: you'll see your tun interface is configured with inet addr and p-t-p IP, these fall inside the /30 your client is assigned 23:36 < ngharo> (assuming youre currently not specifying topology) 23:36 < troy-> ngharo: i updated the config and restarted the tunnel however ifconfig still shows a mask of .255 23:37 < troy-> i'm just trying to segment my network so that i dont have to advertise /32s 23:37 <+pekster> Well, that's only a limitation of Windows ngharo. I can do 'ifconfig 10.1.2.3 192.168.7.8' just fine if using the p2p topology, as an overly-insane example 23:38 < troy-> pekster: are there additional changes i would have to make to the static key howto that i perhaps dont recognize? 23:38 < troy-> (aside from adding that line to each endpoint and restarting) 23:38 <+pekster> troy-: What are you trying to "fix"? I think Linux distros might use PtP anyway (the net30 is really just a hack to make p2p topology "work" under Windows) 23:40 < ngharo> it kinda of sounds like he may want topology subnet with a /30 ip-pool? 23:40 < ngharo> but only two hosts total on the vpn? i dunno 23:40 <+pekster> He can't *have* an "ip-pool" in p2p mode (he's using --secret, not X509) 23:41 < ngharo> oh, i didnt think static key affected any options 23:41 < ngharo> ignore me :) 23:44 <+pekster> troy-: Yea, I just tested it. net30 under non-Windows just uses PtP anyway, since it's just an emulation trick to make Windows work 23:44 <+pekster> troy-: So, let's get back to why you want this? 23:45 <+pekster> I really have no clue what you're trying to fix, because nothing is broken with a p2p setup 23:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 23:49 < troy-> pekster: i'm going to take this back to the drawing board -- thanks for your help 23:50 <+pekster> troy-: Yea. If you're doing BGP/OSPF or something and want larger routes, you're free to supernet/subnet as you desire, as with any traditional network. But p2p is "just 2 IP addresses", and even the notion of an IP address is just a virutal way to identify your peer 23:51 <+pekster> Technically, you can do something this stupid (PS: demo purposes only, "don't try this at home", etc) https://pastee.org/g65xx 23:52 < ngharo> what the hell pekster lol 23:52 <+pekster> Hey, it was just an example of what you "can" do (and very much should *not* do) ;) 23:53 < ngharo> pekster: are there advantages of using p2p over subnet? 23:53 < troy-> oh my this is interesting :P 23:53 <+pekster> For multi-client (aka server) mode? No, not at all 23:54 < ngharo> why isnt subnet default? for static key configs? 23:54 <+pekster> 'topology p2p' is used when you're doing just a p2p use (such as troy- has configured) or when you need to support OpenVPN 2.0.9 and don't need Windows support (I did a roll-out like that a while back) 23:54 <+pekster> Yea, I think so ngharo. IIRC there's a note in the manpage that it'll become the default 23:54 < ngharo> gotcha 23:55 <+pekster> Our server was 2.1 or 2.2, but the embedded device we were using only supported 2.0.9 or something. It was far easier to use p2p topology (all Linux-based platforms) than get a newer build working with the buildsystem 23:55 <+pekster> Dunno, that was last job 23:56 <+pekster> Oh, btw, assuming I didn't screw up those configs, they're fully usable (drop in static keys and you're set!) and it'll even route across all 4 sytems :D 23:56 <+pekster> http://pekster.sdf.org/misc/crazy-ovpn-p2p.png 23:57 < troy-> i didnt know you could buy yellow paper anymore 23:57 <+pekster> I think that was after around 23 hours of no sleep and half a bottle of wine? Maybe more? ;) 23:58 < ngharo> :] 23:58 < troy-> pekster: is there an easy way to monitor tunnel status for p2p? 23:58 <+pekster> Monitor? As in, if it get disconnected? --up and --down should let you hook into that if you need 23:59 <+pekster> That's available for all modes/topologies --- Day changed Sat Jan 05 2013 00:00 < troy-> that will tell me whether the tunnel is up? 00:00 < sw0rdfish> can someone hack into my openvpn? 00:00 <+pekster> It will with the --ping/--ping-exit (or --ping-restart) options 00:01 <+pekster> Oh, that's server mode only though 00:01 <+pekster> So, no, not really, without pinging your peer or something 00:01 < troy-> gotcha :/ 00:01 < troy-> i have no way to monitor because my network is fully meshed 00:01 <+pekster> If you used X509 mode you could do what you want ;) 00:01 < troy-> *sigh* 00:01 < troy-> may have to 00:02 <+pekster> (that has a TLS control channel where --ping* options or the --keepalive helper directive will detect the presenese of the remote peer) 00:02 < ngharo> what bout querying the management interface 00:03 <+pekster> The problem is if "no" traffic is being sent over a p2p, static-key setup, you can't know if the connection was "dropped" or if it's just silent 00:03 <+pekster> It's like asking me to know if google is up when I'm not sending any traffic there 00:03 < ngharo> ah interesting 00:03 < ngharo> i never played with static key setups 00:03 <+pekster> If *I* can't access google, that doesn't mean they're down, it just means I can't reach it. If the whole channel can't, we might assume google has some issue 00:03 < ngharo> i guess thats why i've heard you say it's better when dealing with dpi firewalls 00:04 <+pekster> Same issue: is the VPN down on the peer, or is my ISP blocking the traffic? We don't know 00:05 <+pekster> sw0rdfish: In theory? Yes. In practice, even a skilled attacker (NSA, etc) would be hard-pressed to do it (they'd probably just sneak into your house and get your keys/passwords while you're at work anyway) 00:06 <+pekster> Ask a more specific question, and get a more specific answer ;) 00:06 < ngharo> !shotgun 00:06 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 00:06 < ngharo> love that 00:06 <+pekster> Also on point: https://xkcd.com/538/ 00:06 <@vpnHelper> Title: xkcd: Security (at xkcd.com) 00:07 < ngharo> haha 00:10 < sw0rdfish> pekster, well... its just that when I opened paltalk right now on my laptop, I found another nickname listed there.... it lists all the nicknames with which you have logged on to paltalk at least once 00:10 < sw0rdfish> and I only use one nickname.... and when I saw the other I was like wtffff 00:10 < sw0rdfish> so I dunno. 00:11 <+pekster> I have no clue what "paltalk" is 00:12 <+pekster> OpenVPN, configured, set up, managed, and where all users holding private keys, are operated correctly, is a very, VERY secure system. Weakness at any of those points can reduce the security 00:16 <+pekster> ngharo: Another neat trick with p2p setups (either OpenVPN, or even a crossover Ethernet wire between 2 PCs) is to define the same address on each system, so long as the peer is different. ie: 10.0.0.1 is always "this" system, and 10.0.0.2 is "the other" system ;) 00:17 < ngharo> 0_o 00:17 <+pekster> More for the "don't do that at home" tricks, but it's fun to do with someone watching over your shoulder as you rsync files across 2 PCs with a cat5e and gigE cable between them :D 00:18 < ngharo> i've done crossover for transfering data but i dont get the using same IP part 00:19 < ngharo> how would the other end know to respond on .2? 00:19 <+pekster> Because it's a p2p link ;) 00:20 < ngharo> was this discovery the result of another late night binge? ;) 00:20 <+pekster> No, that trick I knew. I don't usually set up ovpn configs to glue them together unless I'm a bit tipsy ;) 00:20 < ngharo> haha 00:21 <+pekster> Do it on a cross over cable? Sure, it's a fun party trick. Set up a virtual link of 4 systems with complete routing doing it? Now you're just crazy 00:23 < ngharo> virtual daisy chaining 00:23 <+pekster> Yea, basically. It's just a virtual set of a bunch of crossover cables 00:24 < ngharo> goo Devastator 00:24 < ngharo> oops 00:25 < ngharo> good times :) i got a flight to catch in the AM... night all 00:36 -!- HyperGlide [~HyperGlid@182.151.60.13] has joined #openvpn 00:53 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Read error: Connection reset by peer] 00:53 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 01:03 -!- HyperGlide [~HyperGlid@182.151.60.13] has quit [Remote host closed the connection] 01:55 -!- brute11k [~brute11k@89.249.235.187] has joined #openvpn 02:15 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 03:33 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Ping timeout: 248 seconds] 03:39 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 04:17 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 04:51 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 04:51 -!- mode/#openvpn [+o mattock] by ChanServ 05:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 05:23 -!- LumberCartel [~LumberCar@96.53.47.42] has joined #openvpn 05:23 -!- LumberCartel [~LumberCar@96.53.47.42] has left #openvpn [] 05:35 -!- ade_b [~Ade@koln-4d0b5627.pool.mediaWays.net] has joined #openvpn 05:35 -!- ade_b [~Ade@koln-4d0b5627.pool.mediaWays.net] has quit [Changing host] 05:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:45 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:10 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 06:14 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 06:21 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 06:41 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Quit: Ex-Chat] 07:31 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 07:35 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [Ping timeout: 244 seconds] 07:35 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has joined #openvpn 07:46 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 07:48 -!- baobei_ [~baobei@208.111.39.160] has joined #openvpn 07:50 < baobei_> hey ho 07:51 < baobei_> a friend has a kindle fire, afaik openvpn won't work on that, so the only option is to buy a router that supports openvpn 07:51 < baobei_> is there a list of some decent routers that can handle openvpn? 07:52 <+EugeneKay> Anything that supports openwrt or one of the custom embedded firmware linux distros 07:52 < baobei_> is there a recommended minimum ram, cpu requirement 07:53 < baobei_> i once bricked a router trying to install openwrt lol 07:53 <+EugeneKay> ANd you can reflash the Fire to CM10, which definitely does oepnvpn 07:54 < baobei_> it was an xmas gift and he's not very tech savy, i dont think he'd want to mess with it 07:54 <+EugeneKay> I know precisely zero about integrated routers, sorry. I use an i3-540 with 8GB of RAM running a full server stack :-p 07:54 < baobei_> anyway thanks you've pointed me in the right direction 07:56 < baobei_> if anyone knows about openvpn on routers, would 64mb of ram be enough? and 8mb flash, thanks 08:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:23 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Read error: No route to host] 08:23 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 08:38 -!- cosmicgate- [~cosmicgat@you.think.japan.is.cool.well.cosmicgate.is.stuck.injp.net] has quit [] 08:44 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 08:46 -!- baobei_ [~baobei@208.111.39.160] has quit [Ping timeout: 245 seconds] 08:47 -!- Porkepix [~Porkepix@83.159.5.235] has quit [Read error: Operation timed out] 08:50 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 08:56 -!- baobei_ [~baobei@58.37.20.245] has joined #openvpn 09:08 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 10:01 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 10:19 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 10:21 -!- master_of_master [~master_of@p57B52EA2.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:22 -!- hg_5_ [~chatzilla@ip-37-209-133-44.free.aero2.net.pl] has joined #openvpn 10:23 -!- master_of_master [~master_of@p57B55186.dip.t-dialin.net] has joined #openvpn 10:34 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:35 -!- hg_5_ [~chatzilla@ip-37-209-133-44.free.aero2.net.pl] has quit [Quit: ChatZilla 0.9.89-rdmsoft [XULRunner 1.9.0.17/2009122204]] 10:35 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 10:36 < hg_5> hello, i have problem when im trying to connect to my openvpn server, i get this error in openvpngui Error: cannot locate HMAC in incoming packet from 10:36 < hg_5> Error: cannot locate HMAC in incoming packet from xxx.xxx.xxx.xxx:1194 10:37 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 10:39 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 10:45 -!- baobei_ [~baobei@58.37.20.245] has quit [Quit: Leaving] 10:58 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Quit: ChatZilla 0.9.89-rdmsoft [XULRunner 1.9.0.17/2009122204]] 11:42 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 11:42 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 11:42 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:42 -!- mode/#openvpn [+o krzee] by ChanServ 12:03 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 12:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 12:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 12:45 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Ping timeout: 276 seconds] 12:53 -!- piezo [~piezo@pdpc/supporter/active/piezo] has left #openvpn [] 12:55 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 13:13 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: Computer has gone to sleep.] 13:23 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 13:23 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 13:39 -!- brute11k [~brute11k@89.249.235.187] has quit [Quit: Leaving.] 13:44 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 13:57 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 13:59 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:12 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 14:18 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 14:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 14:28 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 14:37 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 14:39 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 14:56 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Operation timed out] 15:04 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 15:08 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 15:08 -!- mode/#openvpn [+v s7r] by ChanServ 15:43 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Read error: Connection reset by peer] 16:04 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 272 seconds] 16:12 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 16:15 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 16:17 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 16:18 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has joined #openvpn 16:19 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Ping timeout: 276 seconds] 16:22 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 240 seconds] 16:24 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 16:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds] 16:51 -!- u0m3 [~Radu@92.80.90.7] has joined #openvpn 17:02 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 276 seconds] 17:03 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:43 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has joined #openvpn 17:44 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has quit [Client Quit] 17:55 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 18:06 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 18:59 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 19:11 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 19:18 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 19:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:51 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Quit: emmanuelux] 19:53 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 20:30 -!- u0m3 [~Radu@92.80.90.7] has quit [Quit: Leaving] 20:37 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 20:52 -!- sw0rdfish- [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 20:55 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 20:59 -!- sw0rdfish- is now known as sw0rdfish 21:00 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 21:00 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 21:25 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has joined #openvpn 21:53 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 21:55 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Ping timeout: 240 seconds] 22:34 -!- i7c [~i7c@212.47.190.111] has left #openvpn ["WeeChat 0.3.9.2"] 23:05 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 23:05 -!- mode/#openvpn [+o krzee] by ChanServ 23:52 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] --- Day changed Sun Jan 06 2013 00:07 -!- kyrix_ [~ashley@71-212-67-12.tukw.qwest.net] has joined #openvpn 00:09 -!- kyrix [~ashley@97-113-115-104.tukw.qwest.net] has quit [Ping timeout: 255 seconds] 00:20 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 00:20 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 00:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 00:20 -!- mode/#openvpn [+o krzee] by ChanServ 00:55 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 01:15 -!- soulcito [~soulse@190.222.252.9] has joined #openvpn 01:15 < soulcito> is possible to configure a openvpn client without encryption? 01:15 <@krzee> !noenc 01:16 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none 01:16 <@krzee> you really dont want openvpn involved if you dont want encryption 01:16 <+pekster> Wow, an 11 second RTO :P 01:16 <@krzee> it will just get in the way =] 01:16 <@krzee> lol 01:16 < soulcito> krzee just need to get a tunnel 01:17 < soulcito> do you know where in ubuntu are the openvpn profiles stored? 01:17 < soulcito> cant find them anywhere 01:17 <@krzee> ya consider gre tunnels, its the tunnel stuff without the encryption 01:17 < soulcito> ive been just configuring the network manager gui 01:17 <@krzee> nooooo 01:17 <@krzee> !netman 01:17 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 01:17 <@krzee> !ubuntu 01:17 <@vpnHelper> "ubuntu" is dont use network manager! 01:17 <+pekster> 'man ip' or 'ip tunnel help' for basisc tunneling 01:18 < Wintereise> krzee smells 01:18 < soulcito> cant change to gre 01:18 < Wintereise> =) 01:18 < Wintereise> Sup 01:18 < soulcito> i need to connect a openvpn server 01:18 < soulcito> no other option 01:18 < soulcito> its a service 01:18 <@krzee> a vpn service without encryption? 01:18 <@krzee> your config MUST match theirs 01:18 < Wintereise> GRE is enabled by default on most linux configs, btw. 01:18 <@krzee> you cant opt to disable encryption if they arent doing the same 01:19 < soulcito> krzee: just need a exit point in US 01:19 <@krzee> you should have been given a config by them, drop that in /etc/openvpn with .conf 01:19 <@krzee> soulcito, that does not change what i said 01:19 <@krzee> if your provider uses encryption, you must... 01:19 < soulcito> the provider let me disable it 01:19 <@krzee> !provider 01:19 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 01:20 <@krzee> they should have given you your config file 01:20 < soulcito> its a webpage with just some option :) 01:20 <@krzee> you will not be able to guess all their config 01:20 < soulcito> i want to make it the lighter possible because my router is dying because of the encryption load 01:20 <@krzee> your router will be running openvpn? 01:21 < soulcito> no 01:21 < soulcito> its a ubuntu behind 01:21 <@krzee> then it wont know about the encryption 01:21 < soulcito> cant red the encryption but it could be trying to inspect it 01:21 <@krzee> unless you're doing deep packet inspection on your router 01:21 < soulcito> it consumes cpu 01:21 < soulcito> inspect/track 01:21 <@krzee> thats dumb, why would it be doing that? 01:22 < Wintereise> nf_conntrack is disable-able even on most mips kernels, if you didn't know. 01:22 < soulcito> well if its udp it need to identify its a connection and let the return packet in 01:22 <@krzee> ^ that wouldnt be special for encrypted packets 01:22 < Wintereise> And what krzee said, your router shouldn't even know what the packet is 01:22 <@krzee> what hes saying would be some deep packet inspection 01:22 < Wintereise> Its job is to send them and receive them, encryption doesn't matter 01:22 < soulcito> maybe not deep packet inspection 01:22 <@krzee> in which case, lol at you for not disabling that on your own vpn 01:22 < Wintereise> krzee, yeah, does sound like DPI 01:23 < soulcito> but at least need to track the connection to let the return packet in 01:23 <@krzee> you mean nat tracking, once again it wont know if its encrypted payload or not 01:23 <@krzee> its just data 01:23 <+pekster> soulcito: Unless you're running OpenVPN on your router, a residential router isn't going to be suffering a higher load to support a client behind it using openvpn with encryption verses without it 01:23 < Wintereise> Sounds like something else is wrong, tbqh 01:23 <+pekster> I can assure you that you are not running a DPI/IDS system without knowing what that is, so I'm pretty sure you don't have one ;) 01:24 < soulcito> well im trying to discard, it could be other option enabled in the ip packet that make my router die 01:24 < soulcito> but in fact it dies 01:24 <@krzee> pekster, ++ 01:24 < soulcito> oh come on 01:24 < soulcito> i know some stuff 01:24 < soulcito> i am network engineer -_- 01:24 <@krzee> oh boy 01:24 * krzee runs 01:24 < Wintereise> lol 01:24 < Wintereise> now now 01:25 < soulcito> lol 01:25 < Wintereise> What kind of router is this? 01:25 <+pekster> Yet you don't know if your router has DPI features? What OSI layer do you suspect your DPI is looking at? L4? L7? Ugh 01:25 < Wintereise> I really suspect any router that has DPI features would be dying from simple vpn packets too 01:25 < Wintereise> So lol 01:25 < soulcito> i was just doing a simple question... dont need to take to degenerate it O_O 01:25 <+pekster> tl;dr: your router doesn't give a crap if you have an unencrypted VPN, encrypted VPN, youtube video, or IRC session 01:26 <@krzee> your answer was given in the first reaponse 01:26 <+pekster> soulcito: If you control both the server and the client and are able to modify encryption options at *BOTH* ends of your VPN peering, look at the --cipher and --alg options in the manpage 01:26 <@krzee> we just felt like you could benefit from additional info 01:26 < soulcito> yeah thank you 01:27 <+pekster> Be aware that all the data running across the link is fully visible to anyone on the wire (on the router path over the Internet, and possibly anyone in their L2 (Ethernet) network as well) 01:27 < soulcito> but you were trying to say I dont know what i am talking about 01:27 <@krzee> right^, and if you dont control the server you shouldnt be configuring it yourself. and you should never configure using network manager 01:27 <@krzee> if you wish to import a working config to network manager to use, thats fine 01:27 <+pekster> When you were talking about your router dying/crashing/locking-up when you use an encyprted VPN, that sounds like BS. And I do networking as a profession 01:27 <@krzee> soulcito, well you did demonstrate that while we talked about your router 01:28 <@krzee> and as a network engineer you get a quicker lashing for it l[ 01:28 <@krzee> ;] 01:28 < soulcito> well i am just checking why it is dying 01:28 < soulcito> not sure what it fails to check 01:28 <+pekster> From a single UDP stream? 01:28 < soulcito> because I dont have the option to troubleshoot in it 01:28 < soulcito> i think it doesnt have 01:28 <@krzee> if theres ANY single udp stream killing it, i would throw it away immediately 01:28 <+pekster> Spend $30 on a router that can run OpenWRT and manage your own network ;) 01:29 <@krzee> ^^^ 01:29 < soulcito> well every router has its limitations depending on the type of traffic 01:29 < soulcito> i have seen a lot of cases 01:29 <@krzee> lol 01:29 <@krzee> seen a lot of them die from a single simple udp stream? 01:29 <@krzee> cause i would call that a fatal bug 01:30 <@krzee> and openvpn has never been known to trigger any neat nukes in routers, although ild consider that awesome 01:30 * krzee ddos'es you with openvpn clients! 01:30 < soulcito> well it recognize it as a lot of connections, the table could go full and run of memory and die 01:30 <@krzee> nope 01:30 <+pekster> No, see, OpenVPN operates over a SINGLE port 01:30 <+pekster> Just one. Ever. 01:31 < soulcito> it could be the same port but different connections 01:31 <@krzee> negative ghostrider 01:31 <@krzee> unless your stuff reeeeeeeeeally sucks in special ways 01:32 -!- brute11k [~brute11k@89.249.235.187] has joined #openvpn 01:32 <@krzee> in which case, see the above suggestion about spending $30 and doing it like a network engineer 01:32 < soulcito> oh come on 01:32 <@krzee> btw, openwrt would be able to handle the vpn stuff too 01:32 < soulcito> you could have a lot of users connection to same web port 01:32 < soulcito> and they are different connections 01:32 <@krzee> so you wouldnt even need it on the lan machine(s) 01:32 < soulcito> even its a single user 01:32 <+pekster> But you are a CLIENT, not the SERVER 01:32 < soulcito> i know 01:33 < soulcito> but the router need to identify connections and save them 01:33 < soulcito> for the return 01:33 <@krzee> the server may have different connections, 1 per client 01:33 < soulcito> in udp is harder 01:33 <@krzee> but the client will only ever have a single connection, period 01:33 <+pekster> No, it's easier because it's a stream connection, not a stateful based connection 01:33 <+pekster> UDP is a "simplier" protocol. Which you should know as a "network engineer" 01:33 <@krzee> right, and i suggest not attempting to keepstate on udp if that is an option 01:34 <+pekster> UDP is stateless. Modern routers track the "state" of it as a stream based on a time limit, commonly 2-3 minutes for an established stream 01:34 <@krzee> although it can be done, its a hack and ugly as hell often times 01:34 <+pekster> So, your router is using around 100 bytes or so to track the connection, and a negligable amount of CPU traffic to handle the NAT. If that "breaks" it, buy a non-shitty piece of equipment. That's not an OpenVPN problem 01:34 < soulcito> pekster: dont need to be a troll 01:34 <@krzee> ehh? 01:34 <@krzee> pekster is helping you 01:35 <+pekster> I'm providing all sorts of useful information if you'd like to read what I have to say 01:35 < soulcito> "Which you should know as a "network engineer"" 01:35 < soulcito> that was offensive 01:35 <@krzee> you should! 01:36 < soulcito> what? 01:36 <+pekster> If that was offensive that wasn't the intent. I'm refuting your claim that UDP is more taxing on modern stateful NAT firewalls in embedded routers, which is completely false. Take away from that what you want. 01:36 < soulcito> udp is simpler? 01:36 <@krzee> you're the one who declared your network engineer status 01:36 < soulcito> come on, for a router could be headache 01:36 <@krzee> we're attempting to teach you stuff that we feel you should already know based on that declaration 01:36 <@krzee> which is fine, but you're fighting accepting the information 01:36 <+pekster> Yes. UDP is MUCH easier to track since you don't need to worry about tracking syn-received, ack-sent, estblished tcp, fin, fin-wait, and fin-ack states 01:37 <+pekster> TCP is stateful, which means you not only need to track the connection state (in stateful firewalls,) but you ALSO need to track what condition the tracked connection is in. UDP is just a raw stream of data with no "start" or "end", and thus no wowrry about what condition the stream is in 01:37 <+pekster> !tcpip 01:37 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 01:37 <@krzee> soulcito, what you said is only if its attempting to do udp state tracking, which it should NOT be doing and you should disable if you somehow did enable it. 01:38 < soulcito> one example, dont you think it could be difficult for a router to identify if its just a unidirectional udp?... 01:38 <@krzee> no 01:38 <@krzee> its not 01:38 <@krzee> its a 2 way stream 01:38 <@krzee> and even if it were not, no 01:38 < soulcito> but it needs to wait for the return, time in save the connection in the memory 01:38 <+pekster> Well, DHT is sometimes "unidirectional" in which case the entry is dropped from a statefull firewall system within about 30-60 seconds 01:38 <@krzee> exactly what do you think its trying to identify dude? 01:39 <@krzee> the encryption is all payload, why would your layer4 device be worrying about the layer7 data? 01:39 < soulcito> it could have other checks to confirm but dont know if a udp is unidirectional without waiting for the return 01:39 <+pekster> statefull tracking isn't on a per-packet basis; it's on a per-connection basis, of which OpenVPN uses one. 01:40 < soulcito> pekster: ok 30-60 seconds its a LOT, multiple for every udp stream could be generated 01:40 <@krzee> what router are you using anyways? 01:40 < soulcito> krzee: dunno, im just trying to discard, if it is not related to the encryption 01:40 < soulcito> its a cisco cablemodem 01:40 <+pekster> soulcito: I run bittorrent through a router with 16M of RAM. My statefull firewall maintains around 1500 to 2000 known states at any given point in time, and this is a fiarly cheap, low-end router by todays standards 01:41 <@krzee> your cisco cablemodem doesnt do any dpi, therefor i just ruled it out for you 01:41 <@krzee> but go ahead and test all ya like ;] 01:42 <@krzee> if you dont learn by listening, maybe experience will help 01:42 < soulcito> -_- 01:42 <@krzee> in case the answer was lost under all the talk: 01:42 <@krzee> !noenc 01:42 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none 01:43 <@krzee> #2 01:43 < soulcito> yeah i know 01:43 < soulcito> then the network manager problem appeared 01:43 < soulcito> :) 01:43 <@krzee> !netman 01:43 <@vpnHelper> "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list 01:43 <@krzee> !ubuntu 01:43 <@vpnHelper> "ubuntu" is dont use network manager! 01:43 <@krzee> netman *is* a problem :-p 01:44 <@krzee> drop your config in /etc/openvpn named .conf 01:44 < chrisb> it has been years since i've owned a non-consumer router(cisco)...what's a good one? 01:45 <@krzee> i expect you wont guess your config right, but i wont be able to help with that since you dont run your server 01:45 < soulcito> pekster: most of the "fairly cheap" routers dies after 3-4 days of doing 4-5 concurrents torrents 01:45 < soulcito> pekster: memory gets full of garbage 01:45 <+pekster> "memory gets full of garbage" ?? 01:46 <@krzee> wow, what complete crap 01:46 <@krzee> spend the $30 for an openwrt able router 01:46 <@krzee> lol 01:47 <+pekster> I'm running an Asus WL-520gu router, a fairly generic OpenWRT-supported system with 4M flash, 16M RAM, 5 100 Base-T ports, and I support about 2 dozen FOSS torrents and around 2k connections overnight during my higher upload seeding time 01:47 <+pekster> I think it cost me about $30 after rebate, and that was 2+ years ago 01:47 <@krzee> when did it last reboot pekster 01:47 <@krzee> :D 01:48 <+pekster> About a month ago, and that was because I made a mistake and locked myself out with a "quick" rulechange that had a typo in my fw rules :P 01:48 < soulcito> just lost a linksys trying to conver to dd-wrt :-) 01:48 <+pekster> I used a similar product at my last job (Asus WL-500gPv2) and saw them stay running for months. I think the longest uptime was 200+ days before that person was fired 01:48 <@krzee> bricking routers doesnt sound very network-engineerish, did you develop the rom in question or something? :D 01:49 <+pekster> OpenWRT is more friendly to those looking to tinker with the networking, IMO, especially if you don't care about the WebUI frontend 01:49 <+pekster> Plus their build system is better ;) 01:49 <@krzee> my ddwrt doesnt even have a web frontend 01:50 <@krzee> and their buildsystem is lazy too once you write shell script wrappers! :D 01:50 < soulcito> krzee: it was just a PoC :) 01:50 <+pekster> 4M of flash on my home router, I don't have *room* for LuCI :D 01:50 < Wintereise> I have a rtn16 01:50 <@krzee> pekster, exactly! 01:50 * Wintereise waits to be bashed 01:50 <@krzee> bashed? 01:50 <@krzee> a quick google reveals it looks nice 01:51 <@krzee> holey shittons of ram 01:51 <@krzee> and flash too 01:51 < Wintereise> It's great, yeah 01:51 * krzee steals Wintereise's router 01:51 < Wintereise> nou :< 01:52 * soulcito has a CRS-3/16 :P 01:52 < soulcito> lol 01:52 <@krzee> my fav router is my freebsd server tho 01:52 <@krzee> with 3 nics and 4 tunnel devices 01:52 <@krzee> pf to keep the packets going where they should ;] 01:52 < Wintereise> http://www.asus.com/websites/global/products/WAa6AQFncrceRBEo/super_speed.jpg 01:52 < Wintereise> That is what tempted me 01:53 <@krzee> and multiple FIBS for the multiple uplink routing 01:53 <+pekster> I'll spend more than $30 on a router when ISPs offer real connection speeds like fiber to the door 01:53 <@krzee> mmmm fiber 01:53 <+pekster> US has 2nd world Internet connectivity :( 01:53 <@krzee> im in 3rd world 01:53 <@krzee> ild kill for some 2nd world 01:54 < soulcito> where are you from? 01:54 <@krzee> que vivo en el caribe 01:54 < soulcito> donde 01:54 <@krzee> vi que tu hablas espanol tambien 01:54 < soulcito> si 01:54 < soulcito> (-: 01:55 <@krzee> visitaba lima, es hermosa 01:56 < soulcito> lo mejor es su comida 01:56 < soulcito> eres de dominicana, pr? 01:56 <@krzee> im from california 01:56 < soulcito> lol 01:56 <@krzee> headed back soon for a visit 01:57 < Wintereise> I want a rtn66u or something 01:57 < Wintereise> It looks so amazing 01:57 <@krzee> !krzee 01:57 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg 01:57 <@krzee> ^ me 01:58 < soulcito> what is that ? O_o 01:58 <@krzee> a blunt 01:59 <+pekster> RT-N66U has really ugly binary driver blobs 02:00 < Wintereise> It can't run openwrt yet? 02:00 < Wintereise> lame 02:00 <+pekster> https://forum.openwrt.org/viewtopic.php?id=33812 02:00 <@vpnHelper> Title: OpenWRT support for the ASUS RT-N66U (Page 1) — General Discussion — OpenWrt (at forum.openwrt.org) 02:01 <@krzee> supported by tomatousb and dd-wrt but not openwrt 02:01 < Wintereise> talk about sad 02:01 <@krzee> meh same shit, i dont touch the web gui anyways 02:01 <+pekster> My Asus unit only supports wifi with a 2.4 kernel ;) (thankfully I didn't buy it for wifi, and I'm running a new-ish 2.6 kernel without wifi, becuase Broadcom sucks) 02:01 <@krzee> broadcrap 02:01 <@krzee> i feel the same way about realtek (realcrap) 02:02 <@krzee> for their ethernet cards tho, their wiki is fine 02:02 < Wintereise> Both are equally shit 02:02 <+pekster> Depends on the chipset; there are a small handful of RTL chipsets that are open-enough to remain supported for pretty much any kernel >=2.2 02:03 <+pekster> No clue why open hardware isn't more in-demand :( 02:03 < Wintereise> Linux RT-N66U 2.6.22.19 #1 Tue Nov 22 10:29:48 CST 2011 mips GNU/Linux 02:03 < Wintereise> yay for ancient 02:04 <+pekster> And that, is why I demand devices that don't require binary blobs to run :( 02:04 < Wintereise> system type : Broadcom BCM5300 chip rev 1 pkg 0 02:04 < Wintereise> not bad 02:04 <+pekster> "But, but the label said OpenSource and dd-WRT supported" 02:04 <+pekster> Right 02:05 <+pekster> Read: we created a build using some arbitrary dd-wrt version and build the vendor's propritary binary network blob for that kernel version specifically 02:05 <@krzee> haha 02:05 <+pekster> I'm not ripping on dd-wrt (even though I like OpenWRT more,) but the mfgr's choice to not really "support" the product they built 02:06 < Wintereise> ASUS Support has since 10 days not answered on my Bugreport I sent in via vip.asus.com 02:06 < Wintereise> lol 02:06 < Wintereise> VIP VIP VIPPAY 02:06 < Wintereise> I have a z77 board that classifies me as 'vip' too 02:07 < Wintereise> And same case there 02:07 < Wintereise> Ultra slow support 02:07 < Wintereise> They eventually do reply 02:09 < soulcito> oh i found the damn profiles :-) 02:10 < soulcito> /etc/NetworkManager/system-connections/ 02:20 < soulcito> silence~~ 02:22 -!- kyrix_ [~ashley@71-212-67-12.tukw.qwest.net] has quit [Quit: Ex-Chat] 02:22 -!- kyrix [~ashley@71-212-67-12.tukw.qwest.net] has joined #openvpn 02:43 -!- brute11k [~brute11k@89.249.235.187] has quit [Ping timeout: 255 seconds] 03:20 -!- brute11k [~brute11k@89.249.230.5] has joined #openvpn 03:42 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 03:48 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 03:54 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Ping timeout: 272 seconds] 03:56 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 04:17 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:17 -!- catsup [~d@64.111.123.163] has joined #openvpn 04:18 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 04:39 -!- soulcito [~soulse@190.222.252.9] has quit [Remote host closed the connection] 04:39 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:00 -!- ade_ [~Ade@koln-5d816bdb.pool.mediaways.net] has joined #openvpn 05:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 05:17 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 05:48 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 06:12 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 06:34 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 07:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 07:47 -!- fluter [~fluter@fedora/fluter] has joined #openvpn 08:05 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 248 seconds] 08:06 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 08:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 08:17 -!- mode/#openvpn [+v s7r] by ChanServ 08:21 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has joined #openvpn 08:46 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 08:46 -!- ade_ [~Ade@koln-5d816bdb.pool.mediaways.net] has quit [Quit: Too sexy for his shirt] 08:48 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Remote host closed the connection] 08:50 -!- Porkepix [~Porkepix@lns-bzn-23-82-248-114-106.adsl.proxad.net] has quit [Ping timeout: 276 seconds] 08:50 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has joined #openvpn 08:51 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 248 seconds] 09:01 <+s7r> what kind of certs does openvpn use? X509 ? 09:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:10 -!- PhotoJim [~Jim@devonport.ip4.photojim.ca] has quit [Ping timeout: 255 seconds] 09:17 <+dvl> s7r: I think so. I can point here, I just wrote this. Does that help? http://dan.langille.org/2013/01/03/ssl-admin/ 09:17 -!- PhotoJim [~Jim@devonport.ip4.photojim.ca] has joined #openvpn 09:17 <+dvl> $ openssl x509 -text -in active/ca.crt 09:17 <+dvl> etc? so yeah, I think so. 09:21 <+s7r> yup 09:21 <+s7r> that is correct dvl 09:21 <+s7r> nice documentation you have written here 09:21 <+s7r> you use freebsd ? 09:21 <+dvl> Thank you. Yes. 09:22 <+dvl> I usually write at http://www.freebsddiary.org/ but have taken to WordPress. I'm converting the Diary over. 09:22 <@vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 09:32 <+s7r> nice 09:32 <+s7r> to have u here 09:35 <+dvl> thanks 09:36 -!- fluter [~fluter@fedora/fluter] has quit [Read error: Operation timed out] 09:53 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 09:54 <+s7r> l 09:56 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Ping timeout: 265 seconds] 10:21 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 10:21 -!- master_of_master [~master_of@p57B55186.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 10:23 -!- master_of_master [~master_of@p57B536BC.dip.t-dialin.net] has joined #openvpn 10:25 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 10:53 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 10:55 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has joined #openvpn 11:03 -!- gallatin [~gallatin@dslb-188-109-167-165.pools.arcor-ip.net] has joined #openvpn 11:15 -!- kyrix [~ashley@71-212-67-12.tukw.qwest.net] has quit [Ping timeout: 252 seconds] 11:17 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 11:19 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 11:45 -!- ade_b [~Ade@ip-109-41-93-148.web.vodafone.de] has joined #openvpn 11:45 -!- ade_b [~Ade@ip-109-41-93-148.web.vodafone.de] has quit [Changing host] 11:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:46 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:51 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 12:07 <+s7r> dvl: u there? 12:08 -!- valparaiso [~valparais@ARennes-257-1-67-126.w81-53.abo.wanadoo.fr] has left #openvpn [] 12:26 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:26 < DBordello> !goal 12:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:37 < soulse> !sex 12:37 < soulse> lol 12:54 -!- gallatin [~gallatin@dslb-188-109-167-165.pools.arcor-ip.net] has quit [Quit: Client exiting] 13:00 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 13:01 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:02 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has quit [Read error: Connection reset by peer] 13:02 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has joined #openvpn 13:02 -!- pie___ [~pie_@84-236-109-204.pool.digikabel.hu] has quit [Changing host] 13:02 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 13:06 -!- cmelbye [~charlie@yourwiki/staff/charlie] has quit [Ping timeout: 276 seconds] 13:06 -!- cmelbye [~charlie@yourwiki/staff/charlie] has joined #openvpn 13:12 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 13:19 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:44 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in] 13:45 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 13:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 13:47 -!- brute11k [~brute11k@89.249.230.5] has quit [Quit: Leaving.] 13:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:54 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has quit [Read error: Operation timed out] 13:54 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 13:55 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Operation timed out] 13:57 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has joined #openvpn 13:57 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 13:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 13:58 -!- mode/#openvpn [+o plaisthos] by ChanServ 13:59 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Ping timeout: 252 seconds] 14:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 14:06 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has quit [Read error: Operation timed out] 14:09 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has joined #openvpn 14:17 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 14:23 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 14:31 -!- emmanuel__ [~emmanuelu@178.33.182.87] has joined #openvpn 14:32 -!- emmanuel__ [~emmanuelu@178.33.182.87] has quit [Read error: Connection reset by peer] 14:33 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 255 seconds] 14:45 -!- Porkepix [~Porkepix@lns-bzn-54-82-251-84-104.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 15:03 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 15:48 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 16:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has joined #openvpn 16:35 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 17:04 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 17:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:13 -!- m0sphere` [m0sphere@S01060018e78c9cff.cg.shawcable.net] has quit [Ping timeout: 246 seconds] 17:18 -!- m0sphere [m0sphere@S01060018e78c9cff.cg.shawcable.net] has joined #openvpn 17:24 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:09 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-137.28.wb.wifirst.net] has quit [Ping timeout: 272 seconds] 18:55 -!- PhotoJim [~Jim@devonport.ip4.photojim.ca] has left #openvpn [] 19:18 -!- Devastator- [~devas@177.18.197.24] has joined #openvpn 19:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 19:30 -!- Nanuq [~nanuq@tlalocan.teotlalli.ecks.ca] has left #openvpn [] 19:39 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:57 -!- Devastator- [~devas@177.18.197.24] has quit [Changing host] 19:57 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 19:57 -!- Devastator- is now known as Devastator 20:21 -!- valparaiso_ [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has joined #openvpn 20:23 -!- valparaiso_ is now known as valparaiso 20:28 -!- valparaiso_ [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has joined #openvpn 20:29 -!- valparaiso [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds] 20:30 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 20:33 -!- valparaiso_ [~valparais@ARennes-257-1-162-104.w2-10.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds] 22:03 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:31 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 23:05 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 23:52 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 23:53 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 23:54 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Ping timeout: 260 seconds] --- Day changed Mon Jan 07 2013 00:38 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 00:49 -!- brute11k [~brute11k@89.249.235.75] has joined #openvpn 00:59 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 01:12 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 01:39 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 01:39 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Quit: Ex-Chat] 01:40 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 01:47 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 260 seconds] 01:58 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Quit: Leaving] 02:00 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:02 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 02:07 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 02:07 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 02:09 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Client Quit] 02:13 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 02:20 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 265 seconds] 02:25 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:25 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Read error: Connection reset by peer] 02:32 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 02:33 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has joined #openvpn 02:33 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has quit [Changing host] 02:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:47 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 02:54 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 252 seconds] 02:55 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 02:56 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 03:01 -!- IT [~userit@86.120.191.55] has joined #openvpn 03:03 < IT> hey guys 03:04 < IT> what do i need to change so i can use samba over two routed offices, in the current config? http://pastebin.com/TPHCCUdn 03:08 <+pekster> You are pushing the wrong subnet to the client, and you don't have a ccd directory with an iroute for the client's network 03:08 <+pekster> !serverlan 03:08 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 03:08 <+pekster> !clientlan 03:08 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 03:08 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 03:08 <+pekster> Pick one of those to work on at a time and follow the instructions 03:08 < IT> ty 03:09 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:10 < IT> !iroute 03:10 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 03:21 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 03:29 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 272 seconds] 03:44 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Quit: Ex-Chat] 03:55 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 04:02 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 256 seconds] 04:07 < IT> i changed the config http://pastebin.com/NimZCLEC but i can't access the other subnet http://pastebin.com/NimZCLEC what did i missed? 04:16 -!- yeshello1here [~hi@80.168.239.88] has joined #openvpn 04:16 < yeshello1here> i have a weird issue, i've got a bridged server and a number of clients attached, when trying to communicate client to client i see arps hitting the bridge on the server, but they never appear to go back out of the tap device 04:16 < yeshello1here> i know i could enable client-to-client, but i wish to firewall these clients from each other to some extent 04:17 < yeshello1here> is this a limitation i'm unaware of or have i screwed something up? i can pastebin the configs if needed but they're little more than howto examples 04:20 < yeshello1here> for extra reference, the server can happily ping and get arp replies from all clients without issue, it's just client to client that seems to be broken and i can't easily see why 04:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 04:29 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 04:37 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 255 seconds] 04:52 -!- dazo_afk is now known as dazo 04:54 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 05:03 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 05:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:10 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 240 seconds] 05:20 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 05:38 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 05:45 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 252 seconds] 05:50 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has joined #openvpn 05:50 -!- ade_b [~Ade@109.58.116.227.bredband.tre.se] has quit [Changing host] 05:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:58 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 06:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 06:11 -!- ex0a [~high@unaffiliated/ex0a] has left #openvpn ["Leaving"] 06:12 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 06:14 < IT> is anybody here willing to help me setup a office-2-office connection for a moderate fee? 06:20 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 276 seconds] 06:20 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- Chicks dig it] 06:21 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 06:29 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:46 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 06:53 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 240 seconds] 07:20 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 07:28 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 248 seconds] 07:31 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:35 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Read error: Operation timed out] 07:41 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Ping timeout: 248 seconds] 07:43 < yeshello1here> IT: i'm sure many people will help you set it up for no charge 07:44 < IT> i have run out of ideeas 07:44 < yeshello1here> IT: openvpn is pretty easy to set up! what are you trying to do? 07:45 < IT> i'm trying to setup a office-2-office connection with different subnets 07:45 < yeshello1here> ok so you want each office to be able to access the other office over a vpn? 07:45 < IT> yes 07:46 < IT> i got openvpn running and connecting but i can't access the other network pc's 07:46 < yeshello1here> are you running openvpn on the default gateway for your network? 07:46 < IT> yes, on every office 07:47 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 07:48 < yeshello1here> IT: sorry, just dealing with my own problem there 07:52 < yeshello1here> IT: it sounds like a default gateway issue anyhow, if you detail what debugging you've done i'll help a bit more in a minute 07:52 < yeshello1here> just got an OSPF issue to fix :( 07:53 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 07:54 <@ecrist> good mroning 07:55 <+rob0> IT, what is your budget, and what OSs are involved? 07:55 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 07:55 < IT> atm i'm not sure if i'm using the right configuration for this http://pastebin.com/RQnHWwxL 07:56 < IT> @rob0t, check PM 07:57 < yeshello1here> morning ecrist 08:01 < fu_fu> Hello, G'morning 08:01 -!- soulse [~soulse@190.222.252.9] has quit [Read error: Operation timed out] 08:01 < yeshello1here> so i want to run a tap openvpn 08:01 < yeshello1here> but i also want my clients to get /30s 08:01 < yeshello1here> as i care only about multicast availability on the link 08:01 < yeshello1here> (so i can run ospf over it!) 08:02 <@ecrist> why do you want to use tap, then? 08:02 < yeshello1here> as i understand multicast on tun doesn't work? 08:02 <@ecrist> that doesn't make sense 08:02 < yeshello1here> i'm sure i tested it originally but that was like 18 months ago 08:03 < yeshello1here> so openvpn should support multicast over tuns? cause if so i'll just switch to that right now 08:03 <@ecrist> i believe so, yes 08:03 -!- bjh4 [~bjh4@ool-18bbdf6b.static.optonline.net] has joined #openvpn 08:03 < yeshello1here> is there an easy way to assign them a specific tun # too? 08:03 <@ecrist> tun devices won't support broadcast, but that's not related to multicast. 08:03 <@ecrist> !cd 08:03 <@ecrist> !ccd 08:04 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 08:04 <@ecrist> !static 08:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder 08:04 < yeshello1here> uh i meant the actual tun device, as i have two tun VPNs configured on a debian box 08:04 <@plaisthos> yeshello1here: you don't need multicast for ospf. You can statically configure neighbours ... 08:04 < yeshello1here> i'm just gonna go read up on configuration though to make sure i don't screw things up too badly 08:05 <@ecrist> yeshello1here: those two things vpnHelper just said will get you static IPs for your clients 08:05 < yeshello1here> plaisthos: in this use case we can't go with simple static configs 08:05 < yeshello1here> ecrist: static IPs don't matter, it's just the actual tun device number that i care about 08:05 < yeshello1here> thanks for all the help so far though 08:05 <@ecrist> yeshello1here: that's specific to linux, but you can specify a tun device number in the config 08:06 <@ecrist> --dev tun0 08:06 <@ecrist> --dev tun1 08:06 <@ecrist> etc 08:06 < yeshello1here> ok well i'll hope that works, doing some dangerous stuff at 2pm on a monday haha 08:07 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 08:09 <@ecrist> yeshello1here: no reason it shouldn't work. 08:09 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 08:10 < yeshello1here> ecrist: the issue is that one site is only connected via this currently badly configured VPN 08:11 < yeshello1here> it was haphazardly moved and set up and now needs careful attention 08:11 <@ecrist> well, that's not a problem with OpenVPN so much as it's your problem. :) 08:11 < IT> guys, any ideea what i'm missing here http://pastebin.com/RQnHWwxL ? 08:12 <@ecrist> why do you think you're missing something? 08:15 < IT> i can't ping the other lan gw or machines 08:15 <@ecrist> do you see anything in your logs? 08:16 < IT> just this warning" WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.8.0 255.255.255.0'" 08:17 <@ecrist> !logs 08:17 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:17 < IT> ok, sec 08:17 <@ecrist> IT: you have two servers and no clients? 08:17 <@ecrist> generally, the way this works is one is a server, the other is a client 08:18 <@ecrist> remove line 31 08:18 <@ecrist> remove line 29 08:18 <@ecrist> and 28 08:18 < IT> on server? 08:18 <@ecrist> and 33 08:19 <@ecrist> from your pastebin 08:19 < IT> ok 08:19 <@ecrist> (and affect those changes on the appropriate config) 08:20 < IT> if i do that i get Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 08:21 <@ecrist> remove tls-client and replace it with client 08:21 < IT> k 08:22 < IT> i removed them and i can ping the other vpn's interface 10.0.8.2 08:23 < IT> getting RwrWRwrWRwrWRwrWRwrWWRWRWRWR in the log while dooing it 08:23 < IT> but that's as far as it goes 08:23 < IT> can't reach the gw or machines behind it 08:23 <@ecrist> please pastebin your logs 08:23 <@ecrist> verb set to 4 or higher 08:24 -!- test003 [~test003@soho-94-143-249-78.sohonet.co.uk] has joined #openvpn 08:24 -!- test003 is now known as lurpy 08:25 < IT> verb 5 -> server http://pastebin.com/1TpXhT20 08:25 < IT> -> client http://pastebin.com/c2mFHDY1 08:26 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 08:27 <@ecrist> from the client, are you able to ping 10.0.8.1? 08:28 <@ecrist> looks like the VPN came up without issue 08:28 <@ecrist> !goal 08:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:28 <@ecrist> afk a few 08:29 < fu_fu> question: is it possible to install additional w32-Tun/tap adapters on windows? likewise additional versions of openvpn? 08:29 < IT> @ecrist, yes i can ping 10.0.8.1 from the client 08:30 < yeshello1here> hmm ok so i reconfigured my VPN to tun, and OSPF is configured in point to point, but i ain't seeing it, i think cause the peer address doesn't respond, which is kinda odd 08:30 < IT> goal - I would like to access the lan behind the server and vice-versa 08:30 <@dazo> fu_fu: yes, it should be a addtap.bat file where you'll find the openvpn.exe file .... run that one to add another tap adapter 08:30 <@dazo> fu_fu: it should also be fairly well documented in man and howto pages, how to tell openvpn to use these different tap adapters too 08:32 < fu_fu> dazo nice, thanks, if I add the adapter and dev tun0, 1, 2; and install dif versions in dif dirs, then the service seems to get overwritten 08:34 <@dazo> fu_fu: the service stuff might be somewhat different, yes ... but running openvpn service with different versions of openvpn sounds like a very odd setup ... so then you need to hack it yourself 08:34 * dazo pulls up his normal disclaimer: dazo is not a Windows user 08:35 < fu_fu> lol, i am setting up on linux next 08:37 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Quit: Computer has gone to sleep.] 08:50 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has left #openvpn [] 08:53 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 08:56 < yeshello1here> yeah ecrist i'm having some weird issues here 08:56 < yeshello1here> i think it's because the tunnel is set up between ex: .5 and .6 08:56 < yeshello1here> but the server only responds on .1 08:56 < yeshello1here> i'm gonna try with pool-linear 08:56 < yeshello1here> see what happens 08:58 < yeshello1here> that looks much better now 08:59 < yeshello1here> oh so close 08:59 < yeshello1here> i can see the peer but it doesn't get into a full state 09:03 < yeshello1here> yeah so the problem i guess is that openvpn handles its own internal routing for that 09:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 09:22 < yeshello1here> plaisthos / ecrist: i've now been told that in fact openvpn's internal routing table precludes using ospf in any way but p2p, the only other way around it i can see is if i could generate a bunch of /30 connections but using tap so i could run broadcast across it 09:23 < yeshello1here> however iptables-pool seems insistent on making one big network if i use tap, is there any way around this? 09:24 < IT> use tun ? 09:24 < yeshello1here> it won't work because the endpoint addresses do not match 09:24 < yeshello1here> (unless you use p2p) 09:24 < fu_fu> yeshello1here, oyu can firewall or accesslist, TAP is meant to make one big LAN, if you want to route, use TUN 09:25 < fu_fu> can you use p2p? why do you want TAP? 09:25 < yeshello1here> tun won't work because openvpn presents only its internal address for routing and so i can't run ospf across it unless both sides match 09:25 < yeshello1here> fu_fu: it would be less configuration and armache basically 09:25 < yeshello1here> cause i could just run broadcast across it and any clients connecting would be fine 09:25 < yeshello1here> instead of having to make individual VPNs for each potential endpoint 09:28 < fu_fu> interesting, are you on *nix or Win? 09:30 < yeshello1here> nix, i'm wondering about --topology 09:30 < yeshello1here> i don't think it'd work like i'm looking for really 09:30 < yeshello1here> i need to take a short break and go over this 09:31 < fu_fu> if you are using ospf you should be able to get away with using p2p. you will have more complete control of routing 09:31 < yeshello1here> yeah i'm just concerned about setting up 10+ tun devices and managing them all as nicely 09:31 < fu_fu> heh, ya, that's new to me 09:32 < yeshello1here> i assume i can still go with CA auth? 09:32 < yeshello1here> i bloody hope so! 09:32 < fu_fu> sure, no reason why not 09:39 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 09:40 -!- soulse [~soulse@nat/cisco/x-zkqauoaharydwnac] has joined #openvpn 09:52 -!- dazo is now known as dazo_afk 09:53 <@ecrist> IT: you're VPN is working, if you can ping 10.0.8.1 09:53 <@ecrist> now you need to push the proper routes 09:54 <@ecrist> yeshello1here: use tap, then. 09:54 <@ecrist> you can still use routed VPN (avoid bridge, if you can) 09:55 < yeshello1here> ecrist: tap always uses the subnet topology 09:55 < yeshello1here> which is the problem 09:55 < yeshello1here> as it causes errant ospf adjacencies 09:56 <@ecrist> see if this helps you at all: http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting 09:56 <@vpnHelper> Title: OpenVPN/RIPRouting - Secure Computing Wiki (at www.secure-computing.net) 09:56 < yeshello1here> ecrist: this is how i am now setting it up (telling a peon to set it up for me) 09:57 < yeshello1here> individual p2p links between the various machines 09:57 < yeshello1here> i'm quite happy with that solution really 09:57 < yeshello1here> ecrist: i have a more important (ie personal) issue to solve, i have a tap vpn bridged into br0, i am trying to communicate client to client without client-to-client set, from my reading of the documentation this should forward traffic on to the bridge interface 09:57 < yeshello1here> this seems to be happening, i see the ARP request from my machine 09:57 < yeshello1here> but 09:58 < yeshello1here> it never makes it to the client, so openvpn seems to be ignoring incoming arps for client addresses from the bridge or similar 09:58 <@ecrist> you won't be able to, without client-to-client 09:58 < yeshello1here> that seems rather dangerous? 09:58 <@ecrist> no 09:58 < yeshello1here> i want to have some measure of firewalling between clients 09:58 -!- dazo_afk is now known as dazo 09:58 <@ecrist> if you want clients to talk to eachother, you need to enable client-to-client 09:58 <@ecrist> use a firewall, then 09:59 < yeshello1here> the documentation isn't very clear on that 09:59 < yeshello1here> how can i use a firewall, if the packets never leave openvpn? :) 09:59 <@ecrist> if you enable client-to-client, they do 09:59 < yeshello1here> wait, that's not what the documentation says 09:59 < yeshello1here> with client-to-client packets are routed internally within openvpn 09:59 < yeshello1here> and never hit the OS stack for firewalling 09:59 < yeshello1here> that means i have to tell my users to maintain their own security, which is pretty annoying compared 09:59 <@ecrist> have you tried it? 10:00 <@ecrist> iirc, there's an error in the docs 10:00 < yeshello1here> no i'm currently on the VPN so i can't kill it until later on 10:00 <@ecrist> that's hardly *my* problem. :P 10:00 < yeshello1here> i'll give it a go anyhow 10:00 <@ecrist> you could setup a test vpn 10:00 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 10:00 < yeshello1here> i'm just making my excuses before i get shouted at :) 10:00 < yeshello1here> ecrist: i could, but it's not so urgent i can't test it later on today 10:00 <@ecrist> it's what we'd do 10:00 < yeshello1here> i can always tell the users to firewall themselves 10:01 < yeshello1here> but it's nicer to do it for them 10:02 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 10:02 -!- zol_ [~z@del63-4-78-248-82-46.fbx.proxad.net] has quit [Remote host closed the connection] 10:06 -!- soulcito [~soulse@nat/cisco/x-cqtmoghxzixmmfif] has joined #openvpn 10:07 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has joined #openvpn 10:09 -!- soulse [~soulse@nat/cisco/x-zkqauoaharydwnac] has quit [Ping timeout: 240 seconds] 10:09 < Tativie> Is there a good watchdog program for when the vpn goes down (debian-gnome)? 10:10 -!- soulse [~soulse@nat/cisco/x-aojgevtxztkmahxk] has joined #openvpn 10:10 -!- soulcito [~soulse@nat/cisco/x-cqtmoghxzixmmfif] has quit [Read error: Connection reset by peer] 10:11 < Tativie> Or perhaps some setting in the config that will prevent connections when the vpn fails? 10:12 <+rob0> !keepalive 10:12 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 10:14 <@dazo> Tativie: two options ... 1) a tiny script which fpings the remote VPN ... and barfs if it can't get contact .... 2) A little log watch framework I wrote (haven't publicly released it yet, but works well) ... http://fedorapeople.org/cgit/dsommers/public_git/logactio.git/ 10:14 <@vpnHelper> Title: logactio.git - Simple log file watcher framework which does certain actions when some log events happen (at fedorapeople.org) 10:14 < Tativie> rob0: Do you know how I can spesify a .conf file with that setting it in for the gnome shell? Right not it doesn't seem to have any .conf file with the keys or elsewhere. 10:15 <+rob0> that question does not make sense. You create your config files. 10:16 <@dazo> (unless you use NetworkManager .....) 10:16 < Tativie> I have a server config, but don't think I have a client one. 10:16 < Tativie> I know you can have a client one too, but not sure how to set it with debian running gnome 10:17 < Tativie> I could spesify it in the command line when I start the openvpn, I know 10:17 < Tativie> but not sure how to set it with the gnome desktop, which is what I would prefer if possible. 10:18 <+rob0> okay, I am not using any kind of GUI frontend, so I can't help with those 10:18 <@dazo> Tativie: You can consider to try gopenvpn ... that uses normal config files ... and gives you a reasonable GUI to start/stop/monitor your tunnels 10:18 <+rob0> you might want to review your distro's openvpn package documentation, which might tell you how to name your files and where to put them 10:19 < Tativie> Both good ideas, Thanks :) I'll go do some reading and playing around with gopenvpn. 10:19 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has left #openvpn [] 10:21 -!- master_of_master [~master_of@p57B536BC.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 10:23 -!- master_of_master [~master_of@p57B55F0A.dip.t-dialin.net] has joined #openvpn 10:24 < yeshello1here> you know i just realised 10:24 < yeshello1here> like 5 meg memory use 10:24 < yeshello1here> for a fairly big VPN server 10:24 < yeshello1here> is hilariously efficient 10:24 -!- dazo is now known as dazo_afk 10:24 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 10:50 < fu_fu> I have a TUN server in AWS cloud and clients all-over. one client has a LAN that needs to be visible, and a printer that all clients need to print to. Windows OSs. The cloud server has the main need for printing. any ideas? 10:51 <@ecrist> as long as you do the routing properly, the printing should work by IP 10:53 < fu_fu> there is some difficulty with routing that I am having, possibly due to AWS now using 10.8.0.0 subnet for the region, when i push the routes things start to break 10:54 <@ecrist> !1918 10:54 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 10:54 <@ecrist> try a different range 10:55 < fu_fu> ya, i tried 10.251.0.0 and it works, but I wonder when they will get to that, the 172.0.0.0 are taken in AWS-EU, 192.X are typical for client LANs 10:56 < fu_fu> 172.12.0.0^ 10:56 < fu_fu> oops again 172.16.0.0. 10:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 10:58 < fu_fu> is there a listing of the vpnHelper !_tags? 10:59 <+EugeneKay> !factoids 10:59 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 11:01 < fu_fu> cool thanks 11:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 11:06 -!- raidz_away is now known as raidz 11:06 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:17 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 11:17 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Read error: Connection reset by peer] 11:17 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:17 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:38 -!- soulcito [~soulse@190.222.252.9] has joined #openvpn 11:39 -!- soulse [~soulse@nat/cisco/x-aojgevtxztkmahxk] has quit [Ping timeout: 248 seconds] 11:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:52 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 11:53 -!- soulcito [~soulse@190.222.252.9] has quit [Ping timeout: 276 seconds] 12:06 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 260 seconds] 12:10 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 12:11 -!- wrod [~wrodrigue@triband-mum-120.61.4.231.mtnl.net.in] has joined #openvpn 12:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 12:26 -!- wrod [~wrodrigue@triband-mum-120.61.4.231.mtnl.net.in] has left #openvpn ["Leaving"] 12:37 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:37 -!- soulcito [~soulse@190.222.252.9] has joined #openvpn 12:39 -!- soulse [~soulse@190.222.252.9] has quit [Ping timeout: 260 seconds] 12:40 -!- soulcito [~soulse@190.222.252.9] has quit [Remote host closed the connection] 12:40 -!- soulse [~soulse@nat/cisco/x-xnmnzjlkesaokezq] has joined #openvpn 13:09 -!- brute11k [~brute11k@89.249.235.75] has quit [Quit: Leaving.] 13:19 -!- fu_fu1 [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 13:19 -!- fu_fu1 [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Client Quit] 13:21 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 13:24 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Ping timeout: 276 seconds] 13:33 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 13:45 < yeshello1here> ecrist: you seem to be correct, there was an error in the docs, client-to-client has magically made everything right with the world 13:46 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 13:50 -!- awdjadj [~IceChat77@91.225.135.254] has joined #openvpn 13:50 <@ecrist> right 13:50 <@ecrist> I'll work on changing it 13:57 < yeshello1here> i don't really have the authority to do that 13:57 < yeshello1here> but if i can help, please let me know how 13:58 < yeshello1here> if it involves a lot of reading C, expect procrastination and idelenss 13:58 <@ecrist> 13:50:28 <@ecrist> I'll work on changing it 13:59 <@ecrist> I didn't ask/tell you to do it 13:59 < yeshello1here> oh sorry 14:00 < yeshello1here> i've been up for ages 14:00 < yeshello1here> i thought you said "I'd work on changing it" :) 14:00 < yeshello1here> blurry eyes, bad vision, more excuses etc 14:00 < yeshello1here> still that's 2 vpn issues and one ospf issue sorted today 14:01 -!- _0x783czar [~0x783czar@50.117.78.133] has joined #openvpn 14:02 -!- soulse [~soulse@nat/cisco/x-xnmnzjlkesaokezq] has quit [Remote host closed the connection] 14:02 -!- soulse [~soulse@nat/cisco/x-gutqdbxcmbhfdkqw] has joined #openvpn 14:02 * rob0 read "it" in "I'll work on changing it" as "everything [being] right with the world" 14:03 < _0x783czar> Is it possible to manually configure my MacBook to connect to my openvpn account through the System Preferences Networking Pane? in otherwords, without the Private Tunnel client. 14:04 <@ecrist> _0x783czar: maybe 14:04 <@ecrist> not sure of a way, though 14:04 <+rob0> That sounds like a MacOS question. But indeed, a Mac can run openvpn directly from the shell. 14:05 < _0x783czar> rob0: yeah, I know how to set up a vpn on my Mac, but I don't know what server to point it to. 14:05 < _0x783czar> or what protocol it uses 14:06 <@ecrist> it uses openvpn 14:07 <@ecrist> you need an openvpn client - you can't use any generic VPN protocol 14:07 < _0x783czar> ecrist: oh so openvpn is it's own protocol? so not PPTP 14:07 <@ecrist> Tunnelblick is free 14:08 <@ecrist> private tunnel is an OpenVPN Technologies solution - it's written/managed by the same people at corp that help develop openvpn 14:08 < _0x783czar> ecrist: yeah, i'm able to connect using the PrivateTunnel client, but I was just wondering if I could set it up to use OSXs built in connection manager 14:09 <@ecrist> oh, no, you cannot 14:09 < _0x783czar> ecrist: OK. Oh well, thank-you very much for your help 14:14 -!- awdjadj [~IceChat77@91.225.135.254] has quit [Quit: OUCH!!!] 14:15 -!- _0x783czar [~0x783czar@50.117.78.133] has quit [Ping timeout: 255 seconds] 14:27 -!- soulcito [~soulse@nat/cisco/x-fgfiuxlqkvuxaqma] has joined #openvpn 14:31 -!- soulse [~soulse@nat/cisco/x-gutqdbxcmbhfdkqw] has quit [Ping timeout: 265 seconds] 14:32 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 14:34 -!- soulcito [~soulse@nat/cisco/x-fgfiuxlqkvuxaqma] has quit [Ping timeout: 240 seconds] 14:54 -!- dan_ [~dan@c-98-228-62-52.hsd1.il.comcast.net] has joined #openvpn 14:58 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 15:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:12 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 15:12 -!- soulse [~soulse@nat/cisco/x-wgksrcjowvejcasu] has joined #openvpn 15:20 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 15:20 -!- soulse [~soulse@nat/cisco/x-wgksrcjowvejcasu] has quit [Read error: Connection reset by peer] 15:21 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 15:23 -!- dan_ [~dan@c-98-228-62-52.hsd1.il.comcast.net] has quit [Quit: Leaving] 15:27 -!- bjh4 [~bjh4@ool-18bbdf6b.static.optonline.net] has quit [Ping timeout: 272 seconds] 15:35 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:40 * EugeneKay sneezes loudly 16:06 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 16:08 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 16:13 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Read error: Operation timed out] 16:18 -!- Kage` [~Kage@198.148.81.187] has left #openvpn ["Derp"] 16:18 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 16:20 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 16:20 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Read error: Connection reset by peer] 16:25 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 260 seconds] 16:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 16:32 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 16:32 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 16:34 -!- btor [~btor@nor75-19-82-244-49-15.fbx.proxad.net] has joined #openvpn 16:34 < btor> Hi all 16:36 < btor> i have a problem with openvpn, i use a VPN service, which is in a routed mode ( TUN interface ) but when i launch it on my server, my server become unreachable. So, do you know the step to specify openvpn to work on just online one interface like eth1 ? 16:38 <+pekster> btor: OpenVPN works just fine when you have a single physical network interface. It sounds like you messed up the configuration, because launching a routed configuration shouldn't do that. Did you not use a unique network range for your VPN? 16:38 < btor> in advance, sorry for my english i'm french ... 16:38 <+rob0> could be a lot of things, really 16:39 < btor> pekster, i use "Hide my ass" service, i dont have an access on the server, i just use it like a client 16:40 <+pekster> I'm not your provider, so I can't help you with their service. However, I suspect they're re-routing all traffic through the server, so you can't actually reach your server directly via your ssh or RDP or however you're doing it 16:42 <+pekster> You could probably perform some magic on the client side to add a host-specific route to reach your client IP (the one used by you to contact your remote host) and route that over the pre-existing connection. This is kind of an ugly solution though. Something like 'route YOUR_CLIENT_IP 255.255.255.255 net_gateway' (where you replace your known client IP with the IP you're using 16:42 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 16:42 <+pekster> That's sort of a bad solution, but there if you want to play with it 16:43 < btor> pekster, yes, that's what i want to do, like using iptable or other way to re-route it 16:43 <+pekster> I just told you how to do that 16:44 < btor> yes, and thank's you but i though it was possible to specify an interface to openvpn 16:45 <+rob0> it's [probably] not anything openvpn does. It's probably the change to the system route table. 16:45 <+pekster> You don't seem to understand what's going on. Your provider (which I am not affialated with and can't help you troubleshoot) is pushing the 'redirect-gateway' option, which over-rides your default gateway. If you want to override that for a specific Internet host, you need to configure it to do that, such as with the configuration line I just gave you 16:46 < btor> oh ok, i understand 16:48 < btor> thank's a lot people, i'll test it soon 16:55 -!- btor [~btor@nor75-19-82-244-49-15.fbx.proxad.net] has quit [Quit: Quitte] 16:56 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 17:02 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection] 17:02 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has quit [Read error: Connection reset by peer] 17:02 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 17:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 17:04 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Remote host closed the connection] 17:04 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 17:06 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 17:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:13 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has joined #openvpn 17:18 -!- soulse [~soulse@190.222.252.9] has quit [Remote host closed the connection] 17:19 -!- soulse [~soulse@nat/cisco/x-mrdcozdnjcbyeggf] has joined #openvpn 17:20 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 17:28 -!- brute11k [~brute11k@89.249.235.75] has joined #openvpn 17:41 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 18:01 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer] 18:04 -!- sysdoc [~sysdoc@pool-71-105-40-229.lsanca.dsl-w.verizon.net] has quit [Quit: Leaving] 18:06 -!- kyrix_ [~ashley@71-212-76-89.tukw.qwest.net] has quit [Ping timeout: 260 seconds] 18:28 -!- ActionA [~ActionA@2001:470:7:1f6::2] has joined #openvpn 18:29 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 18:31 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 18:44 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 18:58 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 19:05 -!- soulse [~soulse@nat/cisco/x-mrdcozdnjcbyeggf] has quit [Read error: Connection reset by peer] 19:05 -!- soulse [~soulse@190.222.252.9] has joined #openvpn 19:20 -!- raidz is now known as raidz_away 19:35 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:37 -!- ActionA [~ActionA@2001:470:7:1f6::2] has left #openvpn [] 19:40 < digilink> hey folks.... question for the experts. I am trying to setup a static key based site to site TUN/routed openvpn setup for simplicity. I have 3 subnets on one side, and just 1 subnet on the other side and want them to be bidirectional. Will IROUTE's work in a static key based setup or will I need to setup PKI instead? 19:45 <+pekster> digilink: iroute is only valid in a ccd or --client-connect context, both of which are exclusive to mutli-client (or "server") mode, which implies using PKI. Use of 'route' is used instead in a p2p setup with --secret 19:46 < digilink> thanks pekster, I was afraid that would be the case :( I'm trying to avoid having to NAT the traffic across the VPN 19:46 <+pekster> I don't see how your choice of static keyed verses TLS/X509 makes any difference in that 19:47 < digilink> will I need to NAT my traffic from each LAN regardless? just trying to make everything as transparent as possible 19:47 <+pekster> Not if you configure routing properly at each LAN 19:48 < digilink> so say I add static routes at each lan, that points to the other lan and make the gateway that of the openvpn instance in each, would that be enough to do it? 19:49 <+pekster> Yes, along with firewalls rules. FYI, you don't need the OpenVPN peer at either end to be your default gateway (in such a setup the default gateway would need to be made aware of the LAN and route to the VPN peer on that segment) 19:50 < digilink> got it (I think lol) gonna start playing with configs 19:51 <+pekster> You should also make a concious decision about using static keys becuase you're giving up perfect forward secrecy in terms of a security benefit that X509 provides 19:52 < digilink> I've been reading on that as well 19:52 <+pekster> Either way can work from a routing perspective for what you're trying to do, so it's purely a security and semantic choice when you just have 2 peers 19:53 <+pekster> Ah, here's the bot's snippit on that: 19:53 <+pekster> !forwardsecurity 19:53 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 19:54 < digilink> interesting... 19:54 < digilink> so in other words, use PKI :) 19:54 <+pekster> As far as configuration, the bot links to a handy flowchart for getting client/server LAN access working. Pick one to work on at a time, and remember you wouldn't be using iroute options if you use a static key setup (use a normal route instead.) 19:54 <+pekster> !serverlan 19:54 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 19:55 <+pekster> !clientlan 19:55 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 19:55 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 20:04 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 256 seconds] 20:18 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 20:18 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 20:18 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 20:18 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn 20:19 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 20:21 < fu_fu> Hi can anybody help? I have a windows setup with client LAN 10.1.2.0/24 server 10.8.0.0/24; i need all clients to be able to connect to the 10.1.2.0 CLient connected LAN. I can only get a ping to the actual server NIC 10.1.2.15 20:22 <+pekster> !serverlan 20:22 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 20:24 < fu_fu> nice chart! shoudl this do the task? route 10.1.2.0 255.255.255.0 20:24 < fu_fu> push "route 10.1.2.0 255.255.255.0" 20:25 < fu_fu> so the client needs a route back to the server? the thing is that i have a printer at 10.1.2.26 that needs to be avail, the printer is default route to 10.1.2.15 20:25 < DBordello> great chart, that problem frustrated me for hours yesterday 20:25 < DBordello> fu_fu, consider a TAP tunnel? 20:26 <+pekster> You don't want tap for that... 20:26 < DBordello> pekster, why? 20:26 <+pekster> Printers do not require Ethernet frames to function 20:26 <+pekster> !tunortap 20:26 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 20:26 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 20:27 <+pekster> fu_fu: Follow the flowchart. You need to set up the route to the VPN on the default gateway for the LAN (this will be done for you if the VPN server is also the LAN's default gateway.) 20:27 < DBordello> What is nathack? 20:27 <+pekster> source NAT between 2 LANs is ugly and breaks bi-directional connectivity 20:28 < DBordello> figures 20:28 <+pekster> The only reason you'd ever need to do that is if you don't control the gateway in your enviornment 20:28 <+pekster> Actually, NAT in general is ugly 20:28 < DBordello> the reason I used TAP was since I don't have a gateway on the LAN 20:29 <+pekster> That makes no sense. Not having a gateway to the rest of the Internet would mean you don't need a VPN to start with 20:29 < fu_fu> the client is the one with the LAN that needs to be accessed, i could just switch it around client for server, but I rather not. 20:29 <+pekster> fu_fu: Oh, the LAN is on the client? 20:29 <+pekster> k 20:29 <+pekster> !clientlan 20:30 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 20:30 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 20:30 < fu_fu> ipforwarding is enabled and tests : YES 20:30 <+pekster> Sorry, I mis-read that and your question was properly phrased from the start :( 20:30 < DBordello> pekster, it is an internal mangament lan. I am accessing it through a dual-homed server, that is where the VPN comes in 20:31 <+pekster> DBordello: Ah, gotcha. I tend to prefer SNAT for stuff like that, but whatever works for you 20:31 <+pekster> Or just route your "special VPN users" to the LAN and drop a gateway there allowing only access to those users 20:32 <+pekster> A default gateway on a management backend is fine as long as you have strict access controls to reach it 20:32 < fu_fu> in the diagram, last section, says do you have access to the router? does this mean the default router of the client machine? 20:32 < DBordello> I decided to play it safe, no gateway needed. It is mostly IPMI etc type devices. THey have a tendency to forget their gateway anyways 20:32 <+pekster> fu_fu: Yes. The systems on your client LAN need to form a reply packet, and it needs to go back over the same path it took to get there 20:33 <+pekster> DBordello: Sure. I'm not saying it's always bad, but it's "often" the wrong decision to completely lock off a LAN, and then just hack around the security in the end anyway ;) 20:34 < fu_fu> ok, so do i route to the LAN interface of the client, 10.1.2.15 or to the tunnel? 20:34 < DBordello> pekster, probably true ;) 20:34 <+pekster> fu_fu: Gateways are always on your local network 20:35 <+pekster> Add a return route for the VPN network range routed through the VPN client's local IP with respect to the client-side LAN 20:35 < fu_fu> cool, i will try it now 20:36 < DBordello> On the return path, would it go PC -> Gateway -> VPN PC? 20:36 < DBordello> Well 20:36 < DBordello> PC -> Gateway -> VPN PC === VPN ===> Client 20:37 < DBordello> The fact that those first two links are in the same physical segment doesn't cause problems? 20:38 <+pekster> Nope. That's how routing works 20:39 <+pekster> A gateway just looks up the OSI L2 address of a system to send a packet based on its L3 destination 20:39 < DBordello> interesting 20:39 < DBordello> i guess it doesn't care whaT L2 segment it is on 20:40 <+pekster> Sure it does; you can't send an Ethernet frame to something that's not on your LAN ;) 20:40 <+pekster> Say my network is 192.168.50.0/24; I can't just magically route to a network via 10.20.30.6, because I can't directly reach that system by Ethernet 20:41 <+pekster> You might get some learning material out of a link like this: 20:41 <+pekster> !tcpip 20:41 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 20:42 < fu_fu> you dudes rock! 20:51 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Connection reset by peer] 20:53 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:54 < fu_fu> ok so the client-side LAN router can get to the VPN tunnel and to the other side to the VPN server, even to clients on the other end of the vpn. VPNserver still can not ping the printer 20:55 < fu_fu> vpnserver->TUN>Client>printer 20:55 < fu_fu> i get the learn message in the daemon when I try to ping so i guess it is not getting back correctly 20:56 <+pekster> Where in the flowchart are you getting stuck? 20:58 <+pekster> It could be a firewall issue too; are you firewall rules permissive of the reply traffic on your VPN server? 20:58 < fu_fu> i just added the route to the router, and it works fine, can get to clinets over the vpn even past the server 21:00 < fu_fu> ok, i can not ping the clientside router form the server 21:00 < fu_fu> so is the route problem on the server side, or still maybe a fw block 21:01 <+pekster> You need to start at the very top of the flowchart instead of jumping around from the top all the way to the bottom 21:06 < fu_fu> I will check again, but I think I did. "can ou ping another mahcine in the LAN? NO, access to router, YES, route added router can ping to 10.8.0.1(tunnel side of server)" 21:10 <+pekster> Okay, so from the VPN server you can ping the IP of a system on the client LAN that's not the VPN client system? 21:11 < fu_fu> no 21:11 <+pekster> So, you likely have a firewall issue at your client-LAN default gateway. You could test this by taking another LAN client and adding a manual route to the VPN network via the VPN client's LAN IP 21:11 <+pekster> If that works, you need to fix your firewall (or routing) on the client-side LAN gateway 21:11 <+pekster> If it doesn't, you'll need to post VPN config files because something else would be wrong 21:14 < fu_fu> ok, ya, i see i may need to add an access list for the ping to the VPN network 21:14 < fu_fu> would that give this type of issue? 21:38 <+pekster> It could, yes. A firewall at any path the packet takes is able to deny the traffic is so configured 21:43 < fu_fu> pekster, thank you for going through this with me. 21:47 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 21:47 <@ecrist> sup folks? 21:48 < fu_fu> Hi, ecrist 22:00 -!- brute11k [~brute11k@89.249.235.75] has quit [Quit: Leaving.] 22:22 -!- ben1066_ [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 22:22 -!- ben1066_ [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 22:22 -!- ben1066_ [~quassel@unaffiliated/ben1066] has joined #openvpn 22:22 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 22:22 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 22:22 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:22 -!- mode/#openvpn [+o krzee] by ChanServ 22:22 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 260 seconds] 22:45 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:25 -!- soulse [~soulse@190.222.252.9] has left #openvpn ["Leaving..."] --- Day changed Tue Jan 08 2013 00:13 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn 00:13 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 00:14 -!- Netsplit *.net <-> *.split quits: WinstonSmith, jgeboski, jave 00:15 -!- jgeboski- is now known as jgeboski 00:16 -!- Netsplit over, joins: WinstonSmith 00:22 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving] 00:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 00:43 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 00:54 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has joined #openvpn 01:24 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection] 01:39 -!- Devastator- [~devas@177.18.197.67] has joined #openvpn 01:41 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 01:55 -!- csaba [~csaba@195.199.154.25] has joined #openvpn 01:56 < csaba> hi 01:56 < csaba> would like to ask for some help 01:57 < csaba> I have a firewall with openvpn on it, it is ipcop 01:58 < csaba> and soon I will have to replace the machine. The question is can I keep the existing openvpn keys on it once I move to new hardware? 01:58 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 246 seconds] 01:58 < csaba> It is in a highschool where about 60 teachers have vpn keys so I do not want to recreate them. 01:58 <+pekster> csaba: Just copy them over; the keys and certs are just files (unless you're doing something with hardware devices, like smartcards. That's rare on a server.) 01:59 < csaba> same question, what happens if I have to change the ethernet card? 01:59 <+pekster> If you kept your PKI on that same host, back up that entire PKI directory (you should be doing that anyway in case the system has a problem and you need to recover, otherwise you'll have to start a new PKI) 02:00 <+pekster> If you have to change the Ethernet card? OpenVPN doesn't care about your network hardware so long as it has network access 02:00 < csaba> ok, I thought it creates some kind of link to that specific eth card for securuty reasons 02:00 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 02:01 <+pekster> Nope. The security is based on TLS using an X.509 PKI model 02:01 < csaba> but if it is that simple, that is cool 02:01 <+pekster> If you have a deployment like that with 60 remote field users, you should really consider your backup and disaster-recovery procedures too 02:02 <+pekster> (primarily applies to your PKI, since worst-case you could always generate a new server certificate. It really sucks to have to re-do a deployed PKI becuase your CA box exploded and you don't have backups) 02:03 < csaba> right now I have raid mirror and that is it 02:03 <+pekster> Just remember, you can't issue new certificates without your PKI files (easy-rsa, or whatever other frontend you might use to generate the certs) 02:04 < csaba> thanks, I need to find them then 02:05 < csaba> I thiink it is safe to just backup the entire openvpn dir 02:05 <@krzee> the ethernet card question assumes you're not in bridge mode 02:05 <+pekster> Yup. Some people keep them on the VPN server out of convenience, but it's bad practice to keep the CA files on the VPN server itself. Some smaller deployments may not care about best practices (a home VPN server, for example, might not need to split things like that) 02:06 <+pekster> With respect to the key/cert files it's not related to the card krzee 02:06 < csaba> do you have any experience with ipcop? 02:06 <+pekster> configs perhaps if the IP changes on the server in a bridge setup, but not the PKI 02:06 <+pekster> I have no experience with it 02:06 <@krzee> right 02:07 < csaba> I do not happen to find the pki files 02:07 <+pekster> Where'd you generate the PKI? 02:07 < csaba> I have .p12 and .pem files 02:08 < csaba> for the users 02:08 <+pekster> You're going to be very unhappy if you reformat that box and the CA was stored on there and you don't have backups 02:08 <+pekster> Step 1: find it. Step 2: do backups. Step 3: understand the importance of proper management of your security-centric infrastructure 02:09 <+pekster> ie: where is it you go to sign a new cert for a user or to re-issue an expiring one? 02:09 <@krzee> if a new teacher came, how would you make him a new cert? 02:10 < csaba> http://www.ipcop.org/2.0.0/en/admin/html/vpns-openvpn.html 02:10 <@vpnHelper> Title: 2.7.4. OpenVPN Configuration Administrative Web Page (at www.ipcop.org) 02:10 < csaba> like this 02:10 <@krzee> you better be careful before you format 02:10 < csaba> right now I was looking for the files over ssh on the server 02:10 <@krzee> you need to get the pki out 02:11 < csaba> wonder why do I need the pki when this setup does not have any? 02:12 < csaba> I think it is using a different method 02:12 < csaba> but I know little about this 02:12 < csaba> it was pretty easy to set openvpn up with ipcop 02:13 <@krzee> do you give your users files or passwords? 02:13 < csaba> well, both 02:13 < csaba> I generate a new user then also a password 02:14 <@krzee> i see 02:14 < csaba> and they change that later with openvpngui 02:14 <@krzee> oh ok 02:14 <@krzee> that is a passphrase on their cert 02:14 <@krzee> same as doing: 02:14 < csaba> so now when I see the files over ssh these are pem and p12 files 02:14 <@krzee> !factoids search cert 02:14 <@vpnHelper> 'servercert', 'certs', 'nocert', 'certverify', 'certinfo', 'cert_chains', and 'certfight' 02:14 <@krzee> !factoids search pass 02:14 <@vpnHelper> 'winpass', '2.1-winpass-script', 'authpass', 'password-only', 'strip-passphrase', 'change-passphrase', 'enable-passwd-save', and 'password' 02:15 <@krzee> !change-passphrase 02:15 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase 02:15 <@krzee> thats what the change password feature of openvpngui does 02:15 <@krzee> which means they are using pki 02:15 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 255 seconds] 02:15 < csaba> let me verify then, if I backup the openvpn dir is that enough? 02:16 <@krzee> if i were you i would NOT format that box 02:16 <@krzee> i would get another one running how i want it 02:16 < csaba> if lets say I need to build a new one then copy openvpn over and be fine? 02:16 <@krzee> then you could format 02:16 <@krzee> no way for me to know 02:16 <@krzee> you're asking a ipcop question 02:16 <+pekster> csaba: Backing up the openvpn dir will NOT be enough UNLESS your entire CA PKI structure is in that directory (if it is, then you might be fine) 02:16 < csaba> oh of course I do not want to format 02:16 <@krzee> ^ 02:16 <+pekster> No one here can tell you where your PKI files are ;) 02:17 <+pekster> You should know this (you need to go there every time you sign a cert, so you should know how to find it yourself, hopefully) 02:17 <@krzee> he uses a web gui 02:17 <@krzee> this is why i hate web guis, it leads people to not know what they're really doing 02:17 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 02:18 < csaba> I think like I said this pne uses pem and p12 files, and somehow they hold that PKI you gusy talk about 02:19 <+pekster> No, those are just the files issued to the server 02:19 < csaba> hm, ok 02:19 <+pekster> There's an entire PKI with your CA private key, about a dozen helper files that contain your entire certificate database, and every issued certificate you've ever processed 02:20 <+pekster> And if you fail to save it properly, you will never be able to issue another certificate, and will have to start which will void all the stuff you've issued. I'd strongly suggest you learn what PKI management is so you can do these steps yourself, otherwise you are risking this all happening anyway from a simple disk or filesystem failure 02:21 < csaba> yes, true and that is exactly what I am after 02:21 < csaba> thanks so far for taking your time with me 02:21 <@krzee> whatever you do, do not delete this system until after you have another server up and issuing working certs 02:22 < csaba> ok, thanks 02:22 < csaba> and all I wanted to know if openvpn was connected to the hw or not 02:22 < csaba> so good news is that it is not 02:23 <@krzee> openvpn is only dependant on the hw if you're in bridge mode 02:24 < csaba> are those PKI files have a .pki ending? 02:24 <+pekster> No. They're technically extension-independent, but usually contain a variety of .key, .crt (or .cert) and .csr (or .req) files 02:24 <+pekster> You could call them secret.jpg if you wanted; the system doesn't care 02:27 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:27 < csaba> ok, interestingly I have these dirs: ca, ccd, certs, crls openssl but only certs have files in them 02:28 < csaba> the mentioned pem and p12 files for users 02:30 <@krzee> where are those dirs? 02:31 -!- brute11k [~brute11k@89.249.235.75] has joined #openvpn 02:31 < csaba> /var/ipcop/openvpn 02:35 < csaba> the pki is the root host cert? 02:35 < csaba> I think as I remember this root host cert was the first I had to create 02:35 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 02:36 < csaba> for root I can download a cacert.pem and for host a hostcert.pem 02:37 < csaba> like this: http://www.ipcop.org/2.0.0/en/admin/html/vpns-ca.html 02:37 <@vpnHelper> Title: 2.7.5.Certificate Authorities Administrative Web Page (at www.ipcop.org) 02:39 <+pekster> You need to save the entire PKI structure. Not just the certs, and not just the keys. The entire PKI structure needs to be moved over if it's on that system. You'll have to check with the documentation of whatever frontend you're using, because I have no clue how it's designed or where the files are stored or whate format they're in 02:41 < csaba> ok, sorry guys and thanks for your patience 02:41 <+pekster> It sounds like this *might* be stored under /var/ipcop/openvpn, but I can't really be sure without seeing the setup 02:42 < csaba> ok, that is what I am guessing too, just weird that I do not find any pki 02:43 <+pekster> .pem is a common extension for holding any of the data types (PEM and DER are the 2 most common encodings of X509 data, along with the p12 container format) 02:43 <+pekster> Again, the extension is just convention and you could call them .blah if you wanted 02:46 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has joined #openvpn 02:46 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has quit [Changing host] 02:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:58 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 276 seconds] 03:06 -!- wrod [~wrodrigue@110.235.82.2] has joined #openvpn 03:21 < IT> gello 03:22 < IT> how can i link toghether 2 LAN's, with machines beeing able to ping eatch other via routing? what i'm i missing from this config http://pastebin.com/2AGRFSuK ? 03:23 -!- brute11k [~brute11k@89.249.235.75] has quit [Ping timeout: 240 seconds] 03:31 -!- Devastator- [~devas@177.18.197.67] has quit [Changing host] 03:31 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 03:31 -!- Devastator- is now known as Devastator 03:31 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:31 <+pekster> IT: At the very least an iroute since you've commented out the client-config-dir paramater that's required to support it. This is listed on the guide/flowchart: 03:31 <+pekster> !clientlan 03:31 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 03:31 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 03:32 < IT> ty 03:32 < IT> !route_outside_openvpn 03:32 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 03:32 <+pekster> IT: Separate from that, you also need to follow the 2nd flowchart to fully support the LAN behind the server. You need both steps done fully and correctly in order to get bidirectional communication. The server-side LAN is desscribed here: 03:32 <+pekster> !serverlan 03:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 03:33 <+pekster> IT: remember, pick just one to fully work on at a time before moving to the next as they're both required 03:33 < IT> damn 03:36 -!- kyrix [~ashley@71-212-76-89.tukw.qwest.net] has quit [Quit: Ex-Chat] 03:40 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 03:42 <@krzee> be sure you read and understand this: 03:42 <@krzee> !route 03:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 03:43 <@krzee> looks like you're missing an iroute 03:43 <+pekster> Yea, I noted that too but linked both docs in case there's more missing too 03:43 <@krzee> yep 03:44 < IT> allready added that in ccd "iroute 192.168.1.0 255.255.255.0" 03:44 <@krzee> you uncommented ccd in the server config too right 03:44 < IT> yeap 03:44 <@krzee> then continue with the flowcharts 03:44 < IT> that was there for debugging 03:45 <+pekster> You've also reversed your networks at some point 03:45 < IT> allredy reviewd them, there's something related to routing 03:45 <@krzee> IT, huh? 03:45 <@krzee> nowhere in my flowcharts does it say "theres something related to routing" 03:51 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 03:53 < fu_fu> can anyone tell me what this means? Tue Jan 08 03:21:19 2013 us=821375 ja/82.x.x.x:x1694 MULTI: bad source address from client [fe80::f88e:1c69:4d17:bf5], packet dropped how do I translate that address? the client addr is actually 192.168.1.5; last time i put iroute for that it brought the whole system down 03:56 <+pekster> fu_fu: Evidently your client is sourcing IPv6 data across the VPN from an address the server doesn't recoganize. I'm guessing that's a Windows client? I've seen them frequently get confused when multiple local addresses are available to source packets from due to poor multihoming abilities of the platform 03:56 <+pekster> There's nothing you can do really, besides fix whatever bad application on the client's end is doing something that silly 03:59 < fu_fu> hard to diagnose a remote client, is there a decoder for the source number? fe80::f88e:1c69:4d17:bf5] 04:00 <+pekster> The "decoder" you want is known as IANA which manages IPv6 (and IPv4) allocations 04:00 <@plaisthos> fu_fu: fe80 is link local 04:00 <+pekster> http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml 04:00 <@vpnHelper> Title: Internet Protocol Version 6 Address Space (at www.iana.org) 04:00 < fu_fu> right on, thanks again 04:00 <+pekster> OpenVPN should never be assigning that address to the TAP adapter for the VPN interface, so Windows has made a mistake and is sourcing traffic poorly 04:01 <+pekster> I've seen it do that on completely IPv4 networks too with its LAN IP, so it's just bad OS design 04:01 <+pekster> It's not a problem as OpenVPN drops such badly sourced packets (you can ignore the error, unless it's a sign of a broken application you need to debug from the client side) 04:03 < fu_fu> the broken app is Remote Desktop I think, but could be the user is using IPv6 autoassign, and these are just regular bcasts, right 04:04 <@krzee> bcasts over ipv4? 04:04 <+pekster> It has no route across the VPN adapter for such packets unless you've specificlly set up IPv6 support. So no, it's just Windows screwing things up 04:05 <+pekster> Also save to ignore 04:05 <+pekster> safe* 04:06 -!- dazo_afk is now known as dazo 04:07 < fu_fu> i had the server close socket 3 times in the past four hours, and it coincides with this err message, i thought it related 04:09 <+pekster> That's an error dealing with encapsulated addressing within your tunnel. I hope you don't mean OpenVPN is getting disconnected as a result 04:11 < fu_fu> i will up the logging factor, best to find out, than suppose 04:16 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 04:17 < fu_fu> need to get some sleep, take care all 04:18 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 04:33 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:34 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 04:44 <@dazo> pekster: if you see people here having the "MULTI: bad source address" issue ... this might be a good pointer: http://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html 04:44 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net) 05:04 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 252 seconds] 05:06 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has joined #openvpn 05:06 < Eagleman> How much speedloss in MB's will there be on an 60MB connection with 256bit encryption? 05:16 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 05:25 -!- wrod [~wrodrigue@110.235.82.2] has quit [Remote host closed the connection] 05:28 < kisom> Eagleman: How fast does my car go if I push it to the max? 05:36 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 05:36 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 05:36 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 05:36 -!- mode/#openvpn [+o krzee] by ChanServ 05:42 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 276 seconds] 05:43 < pppingme> Eagleman Its a legit question, but I don't know the answer, encryption will add some overhead, so there will be more data obviously, but I don't know the numbers 05:44 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 05:45 < pppingme> Eagleman on the plus side, openvpn does support compression, which doesn't happen over a typical connection, so it may be a wash, or even to your advantage, depending on the type of data. 05:47 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 05:48 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 05:49 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Read error: Connection reset by peer] 05:53 -!- thermoman [~thermoman@idle.foobar0815.de] has joined #openvpn 05:53 < thermoman> is it possible to use cidr notation for push route? 05:53 < thermoman> e.g. push "route 1.2.3.4/24" 05:53 < thermoman> instead of 05:53 < thermoman> e.g. push "route 1.2.3.4 netmask 255.255.255.0" 05:53 <@plaisthos> thermoman: no 05:53 < thermoman> the netmask version is ugly to read 05:53 < thermoman> :( 05:54 <@plaisthos> thermoman: you can create a patch if you want :) 05:54 * thermoman submits a feature request 05:54 < thermoman> :) 05:54 <@krzee> you read your routes often? 05:54 <@krzee> your vpn configs? 05:55 <@krzee> i configure my stuff, and then it works 05:55 <@krzee> if your desktop background picture is your vpn config, i understand 05:55 <@plaisthos> not even some professional equipment does support cidr for route syntax ;) 06:00 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 06:17 <@krzee> !ping 06:17 <@vpnHelper> pong 06:20 <@plaisthos> lol 06:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 06:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 06:37 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 06:43 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:47 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit] 06:56 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has joined #openvpn 06:56 -!- ade_b [~Ade@95.209.17.187.bredband.tre.se] has quit [Changing host] 06:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:59 -!- `Ile` [~kvirc@212-200-214-138.dynamic.isp.telekom.rs] has joined #openvpn 07:22 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds] 07:22 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 07:25 -!- Carbon_Monoxide [~cmonxide@n219078079066.netvigator.com] has joined #openvpn 07:27 -!- Carbon_Monoxide [~cmonxide@n219078079066.netvigator.com] has left #openvpn [] 07:30 -!- GabrieleV_ is now known as GabrieleV 07:35 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 07:36 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 07:39 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 07:46 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 07:46 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 08:14 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 08:16 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 08:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:38 -!- brute11k1 [~brute11k@89.249.235.33] has joined #openvpn 08:39 -!- brute11k [~brute11k@89.249.235.33] has quit [Ping timeout: 265 seconds] 08:49 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 08:50 -!- brute11k1 [~brute11k@89.249.235.33] has quit [Ping timeout: 260 seconds] 08:59 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has joined #openvpn 09:00 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Ping timeout: 255 seconds] 09:01 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 09:01 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 09:01 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:10 <@ecrist> IT: no PMs, please 09:10 <+rob0> oh, sorry, that's partly my fault 09:11 <@ecrist> hrm 09:11 * ecrist goes and reads 09:11 <+rob0> Here's the deal: IT wants to hire someone to do a small and simple VPN job. 09:11 < IT> oh, k :P 09:11 <+rob0> I could have done it, but not through TeamViewer, which is the way he wants to provide access. 09:12 <@ecrist> wtf is TeamViewer? 09:12 -!- abradsha [~Ade@95.209.134.79.bredband.tre.se] has joined #openvpn 09:12 <@ecrist> ah 09:13 <@ecrist> nm, I can google 09:13 <@ecrist> IT, you're forgiven your PM.:) 09:13 < Eagleman> whats bad about teamviewer lol 09:13 <+rob0> If you have TeamViewer you'll be in and out in less than an hour. He just wants a site-to-site VPN which is partly working already. 09:14 <+rob0> well, I'm not saying what's good nor bad about TeamViewer; I don't have it and can't easily install it. But I am a fan of ssh :) 09:15 < Eagleman> I guess he wants to monitor what you are doing 09:15 <+rob0> screen(1) can do that too 09:15 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 09:18 < IT> !1918 09:18 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 09:18 <@ecrist> so can watch(8) 09:19 < IT> !8 09:23 <@ecrist> IT, I'd strongly suggest you first switch your IP subnets. If you decide to ever add clients, it'll make your life easier before you entrench yourself in those ranges 09:24 <@ecrist> that's up to you, though. we can still get things working with what you have 09:25 < IT> i changed one to 192.168.1.x a few weeks ago 09:25 < IT> i know it's a little harder to track this way, but it's easyer for the users 09:25 <@ecrist> 99% of all home gateways use either 192.168.0.0/24 or 192.168.1.0/24 as their range 09:26 <@ecrist> which will cause problems if anyone ever connects in from a home network that uses those ranges. 09:26 < IT> the 2 branches are in a closed enviroment, nobody should connect from home 09:27 <+rob0> yep, I mentioned that yesterday also. It CAN be done with those networks, but in the long run (when something WILL need to change), I predict pain. :) 09:27 < IT> one step at a time :P 09:27 <@ecrist> sure 09:27 <@ecrist> what do you have for the server config now? 09:28 <@ecrist> and what do you have for the client config now? 09:28 <@ecrist> also, are the two VPN machines your network gateways already, or are they secondary boxes? 09:28 <+rob0> We got very close yesterday. Seemed like iroute wasn't working. 09:28 < IT> they are my gateways, pasting the config in a sec 09:28 <+rob0> yes, they're both the gateways 09:29 <+rob0> The ccd file was being read, but for some reason iroute was not working. 09:29 < IT> http://pastebin.com/WnX2r34i 09:30 <@ecrist> in your paste, there's a typo, the network ranges on lines 23 and 24 should match 09:31 -!- abradsha is now known as ade_b 09:31 -!- ade_b [~Ade@95.209.134.79.bredband.tre.se] has quit [Changing host] 09:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:32 < IT> they should contain the local ip or the client's ip? 09:32 <+rob0> 192.168.0.0/24 is the client LAN, 192.168.1.0/24 is the server LAN 09:33 <+rob0> push the server LAN route to the client, set the client LAN route on the server? 09:35 -!- dazo changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || OpenVPN RELEASED FOR ANDROID! || Current Release: 2.3.0 (08-Jan-2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably your firewall, Really ||Not a native English speaker? say so! 09:36 <@ecrist> IT: they should contain the local subnet for the server 09:36 < IT> ok, changed both to 192.168.1.0 09:37 < IT> the ccd contains iroute 192.168.1.0 255.255.255.0 09:45 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Ping timeout: 246 seconds] 09:50 < IT> @ecrist? 09:53 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 09:54 <@ecrist> sorry, was AFK 09:54 * ecrist reads 09:55 <@ecrist> the iroute is wrong 09:55 <@ecrist> the iroute should be for the route of the client LAN 09:55 < IT> 192.168.0.0 255.255.255.0 then 09:56 < IT> ok, changed 09:57 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 09:57 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 09:57 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:57 < IT> i can ping machines in LAN1 from LAN2 gw but not vice-versa 09:58 <@ecrist> IT, can you draw up a diagram, quick? 09:58 <@ecrist> !diagram 09:58 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 09:58 < IT> sure 10:05 -!- Eagleman [~Eagleman@D4B2D271.static.ziggozakelijk.nl] has quit [] 10:06 < IT> just a quick drawing http://www.gliffy.com/go/publish/4209220/ tell me if i missed anything important 10:06 <@vpnHelper> Title: Gliffy Public Diagram - network diagram1 (at www.gliffy.com) 10:08 -!- ben1066_ is now known as ben1066 10:09 <@ecrist> perfect 10:09 <@ecrist> which side are you calling LAN1 and LAN2? 10:09 < IT> left LAN1, right LAN2 10:10 <@ecrist> ok 10:11 <@ecrist> is ipforwarding enabled on the client and the server? 10:11 < IT> i believe so, they server as internet gateways 10:12 < IT> *serve 10:13 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Quit: Leaving] 10:14 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 10:15 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Killed (idoru (Spam is off topic on freenode.))] 10:16 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 10:16 < fu_fu> what's up dudes 10:16 < fu_fu> and dudettes 10:17 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 10:17 < fu_fu> I wanted to tell you about a problem I found a solution for today. There is no documentation of it that I can find so far, so I am letting you all know. 10:18 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:19 < fu_fu> the log error msg is regarding MULTI: bad source address from client [fe80::d978:2f77:f0f3:3320], packet dropped 10:20 <@ecrist> IT: firewall rules? 10:20 < fu_fu> this is a windows client to windows server, IPv6 issue is easily fixed by removing IPv6 from the TAP adapter 10:20 <@ecrist> also, 10:20 <@ecrist> !logs 10:20 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 10:21 < fu_fu> RTue Jan 08 11:09:37 2013 us=991671 cor-to-EUTS01/174.129.219.194:61210 MULTI: bad source address from client [fe80::d978:2f77:f0f3:3320], packet dropped 10:21 -!- master_of_master [~master_of@p57B55F0A.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:22 <@ecrist> the logs was for IT 10:22 < fu_fu> right sorry 10:22 < fu_fu> i'm just stoked i got the err off my screen 10:22 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 10:23 -!- master_of_master [~master_of@p57B53BBC.dip.t-dialin.net] has joined #openvpn 10:23 <+rob0> "Bad source address from client" is in the OpenVPN FAQ, and the answer is iroute. 10:27 < fu_fu> rob0 I think, it is an IPv6 issue with windows the iroute statements are correct but the error still occurs, when i disabled IPv6 on the adapter the error stopped. 10:28 <+rob0> Since IPv6 is only in 2.3, and 2.3 has not yet been released, documentation details might not be complete. 10:28 < fu_fu> pekster ID'd the error as an IPv6 problem in windows I think, several hours ago. I just wanted to close the loop 10:28 < fu_fu> rob0 2.3 is out now :) 10:28 <@ecrist> IT??? 10:29 < IT> pasting 10:29 <@ecrist> rob0: 2.3 was released today 10:29 < IT> got lag on pastebin, 2 sec, check pm 10:29 <@ecrist> see /topic 10:30 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:31 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 10:31 < IT> got the rules? 10:31 <+rob0> oh ha. I saw dazo change the /topic but didn't pay attention to it :) 10:32 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 10:34 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 10:34 <@ecrist> looking 10:34 <@ecrist> rob0: probably good to pay attention to 10:35 <@ecrist> !iptables 10:35 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just the 10:35 <@vpnHelper> basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 10:35 <@ecrist> IT ^^^ 10:36 -!- b00b [~freenode@46.166.178.155] has joined #openvpn 10:39 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 10:39 < IT> i don't think it's the firewall, i got the policy on default accept and can't ping from lan1 to lan2 10:40 < IT> i don't think it's the firewall, i got the policy on default accept and can't ping from lan1 to lan2 gw 10:40 < IT> sry for double post 10:42 <@ecrist> so, you can ping from lan2 machines to lan1 machines? 10:42 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 10:43 <@ecrist> can you ping from lan1 machines to lan2 machines? 10:44 < IT> no and no 10:44 < IT> i can ping from lan2 gw to lan1 machines 10:44 < IT> and that's it 10:44 <@ecrist> you still haven't posted your logs 10:45 <@ecrist> also, can you post a traceroute from a lan1 machine to a lan2 machine? 10:45 <@ecrist> and your routing tables from both lan1 gw and lan2 gw 10:47 < IT> here you go http://pastebin.com/fnCL33ua 10:49 -!- kjs [kjs@fedora/kjs] has joined #openvpn 10:50 < kjs> Guys is there any way of seeing a list of when users have authenticated? 10:50 <@ecrist> look at the openvpn status log 10:50 <@ecrist> IT: logs? 10:51 <@ecrist> also, !configs again, please 10:51 < kjs> i am looking in the status log now... 10:51 < IT> ServerA -> http://pastebin.com/XERBh8m9 10:52 < IT> ServerB -> http://pastebin.com/ef7t8veb 10:53 < IT> Configs -> http://pastebin.com/m64DhN0h 10:56 < IT> i have to move to my home workstation :) afk a little 11:00 <@ecrist> kk 11:02 < kjs> hmm 11:02 < kjs> openvpn-status-log only conains connections with todays date ? 11:02 < kjs> does it only log for 1 da y? 11:03 <@ecrist> kjs: openvpn-status-log shows currently connected users 11:03 <@ecrist> !man 11:03 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 11:03 < kjs> i see 11:03 < kjs> so there is no historic log ? 11:03 <@ecrist> look at --log 11:04 <@ecrist> try reading the man page 11:05 <@ecrist> IT: routes aren't getting pushed properly yet, still looking 11:06 <@ecrist> !iroute 11:06 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 11:06 < kjs> looks like someone has commented it out... 11:06 < kjs> # Log messages to the syslog. 11:06 < kjs> ;log openvpn.log 11:06 < kjs> ;log-append logs/openvpn.log 11:06 <+EugeneKay> !paste 11:06 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 11:06 < kjs> It was 3 lines... 11:06 <@ecrist> kjs: that someone would be you, or another admin 11:06 < kjs> Not me. 11:07 <@ecrist> so, another admin 11:07 <@ecrist> or gremlins maybe 11:07 <@ecrist> or the nazis 11:08 < kjs> Ex admin ;) 11:09 <@ecrist> IT: you need to add "route 192.168.0.0 255.255.255.0" to your server config 11:10 < kjs> What a bitch, I can't think of another way of finding out if a user has been connecting to the VPN or not.. 11:10 <@ecrist> you have to log the traffic... 11:22 -!- raidz_away is now known as raidz 11:22 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 11:28 -!- mode/#openvpn [-o plaisthos] by ChanServ 11:28 * plaisthos hides again 11:32 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:32 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:32 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:35 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 276 seconds] 11:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds] 11:52 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds] 11:57 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 12:00 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 12:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 246 seconds] 12:24 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 12:25 -!- `Ile` [~kvirc@212-200-214-138.dynamic.isp.telekom.rs] has quit [Quit: KVIrc 4.1.3 Equilibrium http://www.kvirc.net/] 12:52 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 12:55 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer] 12:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 13:01 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 13:08 * EugeneKay sneezes violently 13:08 * ecrist doesn't give a shit 13:08 <+EugeneKay> I need to do that too, now that you mention it. 13:10 <@ecrist> at the office, we refer to it as doing 'paperwork' 13:10 <+EugeneKay> Ah, offices. How quaint. 13:11 <@ecrist> indeed 13:38 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 13:44 -!- n2deep_ [n2deep@odin.sdf-eu.org] has joined #openvpn 13:48 -!- n2deep_ [n2deep@odin.sdf-eu.org] has quit [Client Quit] 13:48 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Quit: Lost terminal] 13:49 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn 14:23 -!- novaflash [~novaflash@openvpn/user/novaflash] has quit [Changing host] 14:23 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 14:23 -!- ServerMode/#openvpn [+v novaflash] by sturgeon.freenode.net 14:23 -!- mode/#openvpn [+o novaflash] by ChanServ 14:31 <+pekster> kjs: I wrote a generic (and of course extensible) on-disconnect accounting script if you want to use it. It's GPLv3 code, so you're free to use it as a starting point for anything else you might need 14:31 <+pekster> !accounting 14:31 <@vpnHelper> "accounting" is http://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting 14:31 <@ecrist> gah, GPL 14:32 <+pekster> ecrist: Could be worse: I could have used GNU AGPL for that ;) 14:32 <@ecrist> heh 14:32 * ecrist refines regex 14:33 <@ecrist> gah, /[\w]{,1}GPL/ 14:33 <+pekster> I wrote some regex yesterday to remove comments and zero chain counters on iptables-save rules 14:33 <+pekster> sed -r -e '1,1 p' -e '/^#/ d' -e 's/\[[[:digit:]]+:[[:digit:]]+\]/\[0:0\]/' 14:33 <@ecrist> I really hate that particular syntax 14:33 <@ecrist> PCRE FTW 14:34 <+pekster> No perl on my target system ;) 14:34 <@ecrist> the world's not perfect 14:34 <@ecrist> you don't need Perl for PCRE 14:34 <+pekster> How about an ash shell? ;) 14:34 <@ecrist> even grep supports it 14:40 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 14:49 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 276 seconds] 14:51 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 14:52 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 15:08 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 15:13 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:16 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 15:28 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:37 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 15:58 < plaisthos> ecrist: gnu grep but other greps? 16:01 <+pekster> I suppose [0-9]+ is shorter. I dunno, just preference/taste really 16:05 < plaisthos> but probably not the same 16:05 < plaisthos> when localisation and unicode is used 16:09 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:13 <+pekster> Well, "digit" is pretty common in most encodings :P 16:15 < plaisthos> pekster: there might be addiotnal numbers like japanese numbers 16:15 <+pekster> Ah, I suppose 16:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 16:28 -!- mode/#openvpn [+v s7r] by ChanServ 16:36 -!- widith [~kenneth@li557-200.members.linode.com] has joined #openvpn 16:37 < widith> is it possible to pass 2 configuration files? I have one with all the parameters and the other with keys 16:37 <+s7r> congratulations for the release folks! 16:38 <+s7r> speaking off.. i have a question which stays on my mind. how come openvpn can connect via http proxy? how can you can connect to a ftp website on port 21 via a http proxy? wasn't http proxy just for http traffic? what is happening 16:38 <+s7r> what is the differnece between http proxy and socks4/5 proxy as I recall socks was for all protocols while http proxy was just for browsing http websites and nothing more 16:39 <+s7r> so ? 16:40 <+s7r> widith: why don't you make a single file .. adn that is all. include the certs there like 16:40 <+s7r> etc. 16:40 <+s7r> it is simpler this way 16:40 -!- dazo is now known as dazo_afk 16:43 <+pekster> widith: You can chain 'config' statements together 16:43 <+pekster> I don't see the advantage, but it's available to you as a feature if you want it 16:50 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 265 seconds] 16:57 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 17:01 -!- defswork [~andy@141.0.50.105] has joined #openvpn 17:03 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 17:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 17:15 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 17:15 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 17:18 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds] 17:23 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Ping timeout: 265 seconds] 17:27 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 17:36 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 17:36 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 17:58 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 18:10 -!- chrisb [~chrisb@pool-71-175-253-228.phlapa.east.verizon.net] has joined #openvpn 18:14 -!- chrisb [~chrisb@pool-71-175-253-228.phlapa.east.verizon.net] has quit [Ping timeout: 240 seconds] 18:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:17 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 18:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 18:32 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:46 -!- ancient3 [~Rockminto@c83-253-113-227.bredband.comhem.se] has joined #openvpn 18:47 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 18:48 < kantlivelong> hey all.. im using an openvpn TAP server with a a remote windows client. for some reason LAN based games do not auto detect sessions. im assuming its using broadcast and am unsure why thats not being replayed? 18:48 -!- troy- [~troy@dcamp-bbr1.prg1.eu.tauri.ca] has quit [Quit: leaving] 18:48 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 18:49 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 18:49 < ancient3> kantlivelong: Bridge mode or ? 18:50 < ancient3> kantlivelong: Allow traffic for Tap interfaces. 18:51 < ancient3> kantlivelong: And bridge interfaces to test it, so that nothing is blocked. 18:51 < kantlivelong> ancient3: its bridged 18:51 < kantlivelong> and traffic is flowing 18:51 < kantlivelong> i can ping/make connections manually 18:52 -!- moore1 [~moore@50.7.199.107] has quit [] 18:54 < ancient3> The windows client needs a port that it cannot rech from the servers TAP/Bridge interfaces. Firewall ? 18:55 < ancient3> Reach 18:56 < ancient3> Once a vpn-client connects you need to think of the interfaces as local interfaces for the client. 18:56 < kantlivelong> yeah 18:58 < ancient3> If you can... open up both the client and server firewalls. Test the game to exclude any of those issues. 19:00 <+pekster> kantlivelong: Using wireshark to capture packets may help. IIRC, IPX routing in Windows is highly broken, and I recall from a few years back failing to get some game auto-detect working because Windows was routing the reply IPX packet out of the physical LAN instead of the VPN where the source IPX broadcast came from :( 19:00 < kantlivelong> ancient3: the game works as expected when specifying the IP of the other node 19:00 <+pekster> So, if you're using IPX, you might just be screwed. I looked up relevant MS docs on IPX routing, and they were wrong (not a huge surprise, but frustrating at least) 19:00 < kantlivelong> its when searching for games on a lan 19:00 < kantlivelong> so might be ipx.. 19:00 < kantlivelong> hmm 19:01 <+pekster> Well, if it's using IPX (most newer games don't and prefer to use a UDP/TCP broadcast) 19:01 <+pekster> That could be a firewall issue, depending on how your LAN systems and routers are configured 19:01 < kantlivelong> well one easy game i tested was minecraft 19:01 < kantlivelong> i see UDP packets on my lan on broadcast 19:01 < kantlivelong> but not on the end client 19:02 <+pekster> A bridged/tap setup will send that across the VPN, so I suspect your firewall is getting in the way 19:02 <+pekster> Follow packets and tcpdump/wireshark at each step 19:02 < kantlivelong> pekster: do i need to add a specific route for broadcast? 19:02 < kantlivelong> firewall is wide open on the tap/bridge 19:02 < ancient3> kantlivelong, pekster: Oooh! IPX, Today! :) Haha, thats funny :) 19:02 < ancient3> IPX/SPX 19:03 <+pekster> Some of us still like playing games from the 90's :( 19:04 <+pekster> Now please excuse me while I turn on my Electric Sheep screensaver ;) 19:04 < kantlivelong> haha 19:04 < ancient3> Well, you live and learn. But odd, because i thought minecraft used TCP/IP 19:04 < kantlivelong> i hate games that require searching instead of just letting me slap in the ip 19:05 < kantlivelong> ancient3: it does im sure for the connection. but not for broadcasting games 19:05 < kantlivelong> though most games use udp 19:05 < kantlivelong> hmm 19:06 < ancient3> kantlivelong: Aha! ... So many games does that (or did)... Its odd why they dont use a central DB to announce connectable games. 19:06 < kantlivelong> ancient3: why would they? most people dont have time to setup servers 19:06 < ancient3> Yeah, but not IPX, thats just evil :) 19:07 -!- Guest15284 [~LaStik@62.109.16.198] has quit [Ping timeout: 240 seconds] 19:07 < ancient3> Yeah, lets use a protocol that noone wants, right ? :) 19:08 <+pekster> IPX would be (have been?) easier to use is Redmond's own documentation was actually correct :( 19:09 < ancient3> I think thats Novells protocol. 19:09 < ancient3> Or was. 19:09 <+pekster> Well, when a Windows game uses it, you're stuck using Redmond's frontends to interact with the OS 19:10 < ancient3> Yep, complete crap is mostly what they provide. As little interaction between operating systems as possible is "Encouraged". 19:11 <+pekster> Unix/Linux seem to mostly "get along" despite their fundamental differences ;) 19:11 < ancient3> I like the EU that way. They said "Make operating systems talk to eachother". This has worked very well if you lok at samba for instance. 19:14 < ancient3> Naah, UNIX/Linux/BSD/Apple is ok. Only windos doesnt want interoperability. 19:18 < ancient3> Apple maintains cups, Oracle maintains MySQL and openoffice nowdays. I think they are doing a good job without knowing a whole lot of the intricates. They provide usable and nice code i think. But i wonder why openoffice (the old staroffice from Germany) is so hard to compile. They need to work on that. 19:19 <+EugeneKay> Oracle dropped OpenOffice; it's a stalled Apache project now 19:19 <+EugeneKay> All of the core developers left and formed The Document Foundation, which produces LibreOffice 19:19 < ancient3> EugeneKay: Aha!, yeah i saw that and im using Libre office nowdays :) 19:20 <+EugeneKay> The same thing is happening with MySQL --> MariaDB. Percona is a notable fork, but it's for-profit. 19:28 < ancient3> Yes, they are generally forked to provide extra functions to paying customers. I have thought about that too, To make a standard thing and then allowing payments for it so customers will for instance get database support within the GUI's that im making. But im more interrested in working for a company or so that i use my code for my CV and let it loose across the worlds :) 19:30 < ancient3> I assume Percona is maintained by Spanish people... This will probably be a much better version because they seem to be highly unemployed at the moment. 19:33 < ancient3> Im in Sweden and i have been unemployed for 4 years in a few months. People who shouldnt have jobs in IT have them. Thats very odd, because i thought that skills had anything todo with working. 19:33 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 19:34 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Ping timeout: 265 seconds] 19:35 < ancient3> It was the same shit in 1998-2002 ... Seems idits get to work that needs to realize they hate their jobs and do not work in IT anymore. Or so they try to tell people. 19:35 <+pekster> There are still companies out there that value actual skill 19:36 <+pekster> The better ones even respect the public/private IP issues too 19:36 < ancient3> pekster: I sure hope so :) 19:36 <+pekster> ancient3: You might enjoy a talk at 29C3 (torrents and mirrors available) called 'Securing the Campaign' where the head of security for the Obama 2012 campaign talks about IT security 19:38 < Suterusu> Anyone bored enough to help diagnose why I keep gitten D/c'd form my VPN? 19:40 < ancient3> pekster: I actually think Obama is doing much good. Especially if he removes guns from the streets as he has done. Because with all the shootings over there i feel the NRA needs to realize what the hell they are doing to their own people. 19:41 < Suterusu> They allowed to carry guns for a reason 19:41 < Suterusu> protection 19:42 -!- LaStik [~LaStik@62.109.16.198] has joined #openvpn 19:42 < Suterusu> Not from each other, the muggers an burglars etc - Thats a bonus - Its protection from tyrannical rule 19:42 <+pekster> A lot of the problem is social too; Canada has more guns per person and far less deaths. Plus we seem to care more as a country about our 2nd admendemnt (right to guns) than our 4th (right to privacy and protection from unwarrented searches) 19:42 -!- LaStik is now known as Guest55454 19:42 <+pekster> Suterusu: Don't ask to ask, just ask. We're talking about other stuff because no one has asked about VPNs in a while ;) 19:42 < Suterusu> If needed, the country could rise at arms to enforce a new leader 19:42 <+pekster> True, but I don't think we're in danger of being invaded by England. Not for a while anyway :P 19:43 < Suterusu> Who 'asked to ask'? I said my piece - Peeps interested or they int 19:43 < Suterusu> lol, more likey china 19:43 < Suterusu> Esp once they figgure owt you aint got they gold 19:44 < ancient3> Suterusu: Yes, its an evil and downwards pointing spiral that will lead to more guns. But what if there where stricter checks on whom could get and or carry a gun. Now i know you dont want Psychopaths to have guns for example (I wouldnt). 19:45 < Suterusu> Police can carry 'em, I want better - They've proved to me (generally) they can't be trusted.... 19:46 < Suterusu> 'tis 'Gun-free' here in England - But that didn't stop me gettin several as a teen - Every other farmer got at least one shotgun, too 19:47 < Suterusu> Accord to FBI, Over in states, More people die from clubs, bats and hammers than rifles, per yr, Consistently - 'tis hardly an award winning argument "less guns = less gun crime" 19:51 -!- raidz is now known as raidz_away 19:54 < ancient3> Suterusu: But i bet more people can be killed with automatic fire. Especially children for instance ? 19:56 < ancient3> Suterusu: Or do you defend children getting killed at schools so much that you want no change in gunlaws at all ? 19:56 < Suterusu> true - as prev. saids, tho - I phear more to gain not from taking away the assault rifle, but to acrue a state of mind where it isn't considered as an option 19:56 <+pekster> Again, depends on social situation. Guns are a big issue in Mexico now too despite them being effectively illegal for citizens. I'm not saying it's right, but social/pollitical issues are complicated :( 19:57 <+EugeneKay> 19:58 <+pekster> Hey, I made an offer to help with a VPN problem. On the downside, I'm leaving for the gym in a few minutes, so that offer will be scaling some walls for a couple hours :P 20:00 < ancient3> I say that a nationwide, per person reapply, for the use of a firearm is required 20:01 < Suterusu> Teh rules will just narrow and narrow until only 'the authorities' are 'allowed' - Like here - A long and slippery slope, the further down you go the more speed you gain, and the harder it will be to climb up 20:01 < ancient3> And they cant atleast be psycho's to get thair gun permits back. 20:01 <+pekster> Play nice, or take it to ##politics. The only climbing I'm doing is at the gym ;) 20:02 < Suterusu> The true psycho's will get 'em anyhay, by illegal means - Or, Just maybe, Build some, Or something better....... 20:03 < Suterusu> When you can punt a LR36 battery onto the horzion, You might as well be walking around with an AA Cannon 20:06 < Suterusu> Besides, The psychopaths aint from what y'should worry.... They typically somewhat lazy. Don't give 'em the reason to expend the energy - They'll do nothing without a reason (you might no be able to see it, or its logic, But there is awlways a reason) 20:06 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 20:09 < ancient3> Suterusu: Yes, and i would say that the reason for them to have a reason (mostly) is there because they feel there is a reason in the first place. Such as people having guns, thair psycho friends having guns and so on. 20:10 < ancient3> There are always means for reversing the displacement of guns. 20:11 < ancient3> I mean, wouldnt it be nice to know that about 90% of all guns in the US where owned by people who are mostly sane ? 20:11 < Suterusu> define sane 20:11 < ancient3> Not clinicly ill. 20:11 < Suterusu> I'm officially defined as insane - But I can wager I'll make more sense than most 20:13 < ancient3> But you are afraid without your gun i take it ? ... How many times have you protected yourself from getting killed with it ? 20:13 < Suterusu> Even the 'most sane' people can be placed in state of mind where (mass )execution seems not only logical, but right..... Wouldn't it be better to remove the contributing factors to that state of mind? 20:14 < dioz> dumb arguement 20:14 < ancient3> By allowing no control over who gets guns ? No, absolutely not. 20:15 < Suterusu> Anti-Gun law over here.... I do still keep one, but burried some way off - I've got better things closer t'hand, anyway - The one time I woulda 'needed' it, it woulda just made a mess. There's cleaner ways. Just needa be prepared. 20:16 < ancient3> Suterusu: From what im getting you seem to almost believe in some sort of armageddon style stuff ? 20:17 < ancient3> Suterusu: Not that you have an Ioncannon in your front lawn or anything.. :) 20:18 < Suterusu> I don't discount it - BUt I see the 'holes' in 'society' - I can see the direction things taking - it aint gonna be good. Give it ten yrs, and we'll be in 1984 at this rate. 20:19 <+pekster> Hey, improvement in 2.3.0: tap-windows.exe is placed in the installation path. Progress! 20:21 < ancient3> Suterusu: Thats hard to argue with, but it wont kill you. It will only mean unemployment for a while. 20:22 < Suterusu> no, it'll be worse than death - a life of opression 20:23 < Suterusu> It starts, with deweaponising 'em, 'cause w/o most will be unable to think o a way of fighting back 20:24 < Suterusu> For decades, now, There's bin steady increase in training o military for 'urban combat' - And the rumours n reports of deploying military in your streets getting more frequent 20:24 < Suterusu> Won't be long after its happened over there, It'll want to happen over here. 20:26 < ancient3> Suterusu: Lets take this example: All weapons are illegal to have or bear by citizens. They have all been melted down. Explain why this would be bad for you ? 20:26 < Suterusu> It wouldn't - I have the ability to fabricate 20:26 < Suterusu> lol 20:26 < ancient3> So do i, and many others. Yep, saw that comin' 20:27 < Suterusu> There isn't much I can't turn into a weapon, tbh.... 20:27 < ancient3> But for you personally i mean. Are you just scared or do you have enemies that blahblah end so forth ? 20:28 < ancient3> We dont feel that way in our country. 20:28 < ancient3> Have no enemies, have no fear. 20:29 < Suterusu> I'm not 'scared' - But its better to has it and not need it, than need it and not has it - That said, me being me, I piss orf a lotta people - Some enough to try and kill me - no-one seems to be able to manage it. About the only chance they got is a high powered rifle n a lotta distance. And then they better hope it kills me, and either way, want to be running 20:30 <+EugeneKay> Seriously 20:30 <+EugeneKay> There's ##politics or ##guncontrol for this 20:31 < ancient3> Yes EugeneKay, but this is very interresting and noone else will be chatting for atleast one more hour i think. 20:31 -!- mode/#openvpn [+o EugeneKay] by ChanServ 20:31 <@EugeneKay> I don't care. 20:32 < Suterusu> I agree - Seriously, -=- Put 'em up against the wall n shoot 'em. Make the next lot watch. Tell 'em: We're watching. Don't screw up. 20:34 < ancient3> EugeneKay: Agreed. 20:38 < ancient3> So, are there any graphical user interfaces for this openvpn thing ? 20:39 -!- widith [~kenneth@li557-200.members.linode.com] has left #openvpn ["WeeChat 0.3.9.2"] 20:39 <@EugeneKay> Many. 20:39 <@EugeneKay> What OS? 20:39 < ancient3> Linux 20:40 <@EugeneKay> Typically the init scripts are used. NetworkManager has a thing, but.... 20:40 <@EugeneKay> !ubuntu 20:40 <@vpnHelper> "ubuntu" is dont use network manager! 20:40 <@EugeneKay> It sucks. 20:41 < ancient3> Ive heard that too. 20:41 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 20:42 < Suterusu> Seems t'do it for me - Think using same NetworkManager is used in 'buntu - not 100% on that 20:42 < Suterusu> Can't make it auto reconnect, mind 20:42 <+pekster> Why not just write a couple of bash frontends and put a GUI link in your menu or taskbar of choice 20:43 < ancient3> Im using this one: http://dalalven.dtdns.net/linux/gadmin-openvpn/client/gadmin-openvpn-client-0.1.8.tar.gz 20:43 < Suterusu> I'd rather has it connected, constantly - Its not something I'd want to turn orf 20:43 < ancient3> its for gtk+ 20:43 < Suterusu> Ergo, something that should not need turning on 20:45 < Suterusu> Yur, I've played with gadmin suite - I seems to has more options in the network manager what shipped with mint (based on 'buntu) and just as many with this networkmanager (seems t'be gnomes, I'm in KDE) 20:46 < Suterusu> Tho, generally, the gadmin suite is aiight 20:46 < ancient3> Cool, yeah its working for me. 20:47 < Suterusu> As I says, The netwrok manager workin for me... Hasn't given me no problems 20:47 < Suterusu> But spelt better 20:47 < ancient3> Haha, yeah :) 20:49 < ancient3> The netti wrokkie thingy :) 20:50 < Suterusu> Just wish I knew why keep losing connection from me VPN 20:50 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 20:51 < ancient3> Suterusu: Generally a firewall issue. Havnt seen it otherwise. 20:52 < Suterusu> Why'd it be intermittent, tho 20:54 < Suterusu> Can't see nutting in logs for clues, Mosto time I'm r/c before other end knows I'm d/c 20:54 < ancient3> Depends on timeouts of relative inactivity. 20:55 <+pekster> See the description of --keepalive in the manpage (server's timeout is longer than the client's) 20:55 < Suterusu> Shldn't be 'timeouts' or 'relative inactivity' - Was fine the other day.... 20:56 <+pekster> Usually it boils down to a generic firewall problem, stateful firewall timeouts, or an agressive DPI firewall. Or prehaps just a connection with some loss on it 20:56 < Suterusu> Seems to suggest isn't settings - More an external influence 20:56 <+pekster> Sure, could be that too. An attacker sometimes tries to induce reconnections if it's a benefit to learn about your traffic, connection, or to perform an active attack such as TLS downgrade or similar 20:57 <+pekster> What's the log say? Discsonnect due to ping inactivity timeout? 20:57 < Suterusu> Question is - how - and more importantly - How does one ocunter 20:57 < Suterusu> Or counter 20:57 <+pekster> Counter what? I gave you a half-dozen options for the cause, and the resolution is different (or impossible) depending on the problem 21:02 < Suterusu> Well, 1'st lets assume an attacker is 'inducing reconnections' 21:03 < Suterusu> How would this be indentified, and or countered 21:05 <+pekster> Use a different ISP, or perhaps wrap your TLS connection inside an openvpn static tunnel so there's no defining protocol handshake. Possibly changing ports if youre using the default (or just changing it even if you're not to something else random) 21:06 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 21:07 < Suterusu> " wrap your TLS connection inside an openvpn static tunnel" Mind elabourating? 21:08 <+rob0> see the static key howto for OpenVPN 1.x 21:08 <+rob0> it is much simpler than client/server setups 21:09 <+pekster> Set up a static-key based tunnel, then connect your TLS session to the endpoint of that tunnel. You get the benefits of X509 key rotation and DH key exchange (for perfect forward secrecy) without the protocol-identifying traffic in the encapsulating UDP traffic to your peer across the wire 21:10 < ngharo> doing that all-in-one would make for an interesting port of openvpn 21:10 < fu_fu> heh 21:10 <+pekster> I've throught about designing a config generator that would do that 21:11 < fu_fu> hi everyone 21:11 <+pekster> It's tough because most setups have requirements beyond that anyway. Maybe as a 'use this then modify to suit' program, but if you're able to do that you can probably just follow the guides and replace the remote IP with the outer-connection's IP anyway 21:11 < ngharo> right 21:12 < ngharo> i just have a feeling people will be confused on which daemon to do routing on etc 21:12 < Suterusu> I'm already, AFAIK, in a 'static key tunnel', n I'm going over TCP, I think... 21:14 <+pekster> !forwardsecrecy 21:15 <+pekster> !static-key 21:15 <@vpnHelper> "static-key" is when you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default 21:15 <+rob0> If the static key tunnel is only transporting a TLS tunnel, potential loss of forward secrecy is No Big Deal. 21:15 < Suterusu> Also, not sure, but think I'm in 2.x 21:15 <+pekster> Right, I linked that as a hint to figure out how it's configured right now 21:15 <+pekster> Suterusu: PtP ("--secret" or static key mode) is still supported 21:16 <+rob0> Static key tunnels still work. 2.x is backward compatible. 21:16 < Suterusu> n naw, my keys rotate roughly every hr, cld be ½ hr - So don't think thats what I'm playing wtih currently 21:16 -!- jgspratt1 [~jgspratt@66.162.71.166] has joined #openvpn 21:17 <+pekster> You asked how you could theoretically combat active connection tampering. I offered you a solution based on a foundation that DPI was being used against you 21:17 <+pekster> I know that's not what you're using; I'm offering you high-level solutions based on a guess as to your problem ;) 21:17 <+pekster> We're a few layers down the rabit hole :P 21:18 < Suterusu> I'll fetch the JCB.... 21:18 < jgspratt1> I'm pushing these routes to my client, but the client can only get to 10.25.1.101, which is the LAN IP of the OpenVPN server on the server side: http://hastebin.com/tewofigica.rb 21:18 <@vpnHelper> Title: hastebin (at hastebin.com) 21:18 < fu_fu> JCB? 21:18 < jgspratt1> I can ping/ssh to 10.25.1.101, where the server is listening. I can't get to 10.25.1.102, which is an identical server on the server-side LAN. 21:19 < jgspratt1> Routes on the client side show this: http://hastebin.com/ruqafecuni.php 21:19 <@vpnHelper> Title: hastebin (at hastebin.com) 21:19 < Suterusu> Big yellow digger 21:20 -!- ancient3 [~Rockminto@c83-253-113-227.bredband.comhem.se] has quit [Quit: Sheeping.] 21:20 < fu_fu> has anyone installed additional TAPs on Win2008_r2(AWS); i have tried devcon and tapinstall (with addtap.bat) and it wont work 21:20 < jgspratt1> The "10.24.0.0 10.24.9.5 255.248.0.0" line is sending stuff to the tunnel on the client all right, but it isn't making it to the lan on the server side. 21:20 < Suterusu> Glancing over tht static key how-to - I understand how to impliment that, But Don't see how to embed my 'existing' connection inside. prolly me being thick - What am I missin? 21:21 <+rob0> jgspratt1, routes must be bidirectional. Does 10.25.1.102 know to reach the VPN clients through 10.25.1.101? 21:21 < jgspratt1> That's like, that's a good point. 21:22 <+rob0> Suterusu, first bring up the static key tunnel. Then direct your TLS tunnel through the VPN (using --remote on the client side.) 21:22 <+rob0> --remote static.key.VPN.IP 21:23 <+pekster> jgspratt1, there's a handy flowchart for connecting VPN clients to a server-side LAN like that: 21:23 <+pekster> !serverlan 21:23 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 21:23 < jgspratt1> rob0: how can I fix this? I have lots of hosts on my server side that I don't want to reconfigure. could I take the gateway server and point 10.0.0.0/24 back to 10.25.9.2 ? Server routes: http://hastebin.com/jefunuheca.vala 21:23 <@vpnHelper> Title: hastebin (at hastebin.com) 21:23 <+pekster> fu_fu: Use the 'tap-windows.exe' installer you get after a 2.3.0 installation 21:24 -!- paccer [uid4847@gateway/web/irccloud.com/x-vuswusbhbetuhopr] has quit [Quit: Connection closed for inactivity] 21:24 < Suterusu> And where'd I type that?? So, Impliment then use the static key'd tunnel, Then attach to the VPN again? Meaning two sets o config? 21:24 <+pekster> fu_fu: That utility used to be in the 'openvpn\bin\' path of your install, but that's no longer the case as of 2.3.x (including the _rc releases.) Just install the tap-windows.exe installer over the existing install and be sure to install the 'TAP Utilities' (not checked by default) during install 21:24 < fu_fu> i will try that i have not seen it, do i have to unpack the exe installer for OVPN? 21:25 <+pekster> fu_fu: You can do that too if you'd like; use 7-zip and look in the .\$TEMP\ path of the primary installer 21:25 < fu_fu> nice, that could solve my some issue nicely , thanks 21:25 < ngharo> Suterusu: yes 21:25 <+pekster> Yes, I'm milidly annoyed the devs removed that feature in a default installation 21:25 <+pekster> It's not hard to get back, just a hassle for anyone who needs >1 connection for any reason 21:25 < jgspratt1> rob0: ah. the "add a route to the router..." step. 21:26 <+pekster> Not like 2 batch files are a huge strain on the system either. Meh 21:26 < fu_fu> lol 21:26 < jgspratt1> rob0: that's a NAT policy in a SonicWALL, right? 21:27 <+pekster> You shouldn't need NAT unless you don't want (or are unable) to route between the LANs 21:27 <+pekster> Your default gw on the server-side LAN needs to know how to reach the virtual VPN network, otherwise traffic can never get back. Relevant firewalls also need to allow such traffic 21:28 < ngharo> jgspratt1: i think youre looking for "static routes" in a sonicwall 21:28 <+pekster> fu_fu: I don't know about the 32-bit version, but a default 64-bit install of openvpn 2.3.0 provides me with a '\bin\tap-windows.exe' file (same one that's in the installer package at .\$TEMP\tap-windows.exe) 21:29 < fu_fu> pekster, great i will check it out in a few 21:30 < ngharo> pekster: ohh 2.3 has the tap installer stuff back? 21:31 <+pekster> Not really, it just "provides" the installer in the \bin\ path 21:31 <+pekster> I really wish it would give you the stupid utilities 21:31 < ngharo> what good is the installer without the .sys and crap 21:31 <+pekster> No, you get a single TAP-Win32 device 21:32 < ngharo> oh ok, right 21:32 <+pekster> If you want more, or want to run the delete-all batch script, you need to install over itself with that optional feature (ie: the 2 batch scripts) installed. Or copy the batch files over from a 2.2.x install where they were provided by default 21:32 < ngharo> arghh :) 21:32 <+pekster> The actual drivers changed between versions (f.eg: to support IPv6, so you need the new stuff if you want any of the new features.) 21:33 <+pekster> It might be an oversight since the utilities are "optional" - if the nsis script just does a silent "default" install of tap-windows.exe it could be a mistake. Or a way to get you to pay for the non-FOSS version to do "fancy" stuff, I dunno. I couldn't find the .nsi files in a quick look through SVN 21:33 <+pekster> I need to check again and file a bugreport when I can find the files to patch. The project's been split in a couple different github projects. That's ultimately good, but I don't know where half the files are anymore ;) 21:34 < ngharo> yeah i found on github last i looked 21:34 < ngharo> lemme go find it again 21:34 <+pekster> It's lower priority to me since I have a workaround 21:34 <+pekster> Oh, the .nsi source for the openvpn project? (not tap-windows, since that installer is called *from* the openvpn installation) 21:34 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 21:35 <+pekster> If you have a link handy, I'll definitaly take it as it'll save me time hunting. I did a quick trunk checkout and didn't see it in a quick search, so maybe the buildsystem creates it? I don't have the MS VS IDE crap, so that may be non-trivial for me :\ 21:35 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 21:35 < ngharo> pekster: ok, nope. You're right. It was the tap-windows one that I saw 21:35 <+pekster> Yea 21:36 <+pekster> I need to dig, because it's not really in the spirit of the GPL to hide key build components like that :\ 21:36 <+pekster> Hopefully just an oversight 21:36 < ngharo> yeah, maybe i'll see if I can have a buddy build the msvc project 21:36 <+pekster> But, at least the fix is now sitting nicely in the installed file path ;) As I said earlier, "progress" :D 21:36 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 21:36 < ngharo> see what it spits out 21:37 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 21:37 < ngharo> cheers to progress 21:37 <+pekster> Sure, that'd be cool. If he does, have him zip/tar/xz/whatever the result and post it somewhere 21:37 <+pekster> I'd love to do a file-based diff on source vs completed build 21:37 < ngharo> will do 21:37 <+pekster> I know how Linux/Unix builds work, not so much Windows ;) 21:39 <+pekster> I tried building a small project (just a few source files) and it was designed for the MS VS; there was some crappy command-line "freebie" alternative MSFT provided, and it was a huge pain to build it, bad error messages, etc. And that was just a proof-of-concept exploit I was testing for internal security 2 jobs ago. Apparently not paying for Visual Studio isn't the "rigiht" way to go :( 21:39 <+pekster> 21:41 < jgspratt1> ngharo: should I get this: pinging from server side to client side: http://hastebin.com/pugicenuta.coffee 21:41 <@vpnHelper> Title: hastebin (at hastebin.com) 21:45 < ngharo> probably not 21:47 < jgspratt1> ngharo: what should I probably see? 21:47 < ngharo> ping reply :) 21:47 <+pekster> Most (securely) configured systems these days won't follow ICMP redirect messages. What is that 10.24.1.1 host? If it's something upstream of the server LAN you likely have a misconfiguration on the LAN's gateway. If it's on the client-side path, maybe the route wasn't pushed? 21:47 <+pekster> Of course, you should already have pushed the route to the client properly if you followed that handy flowchart ;) 21:48 < jgspratt1> yep, the client has the route 21:48 < fu_fu> is this wrong? from the new readme post installation: file locations notice 21:48 < fu_fu> C:\Program Files\OpenVPN\config (32-bit Windows) 21:48 < fu_fu> C:\Program Files (x86)\OpenVPN\config (64-bit Windows) 21:48 < jgspratt1> 10.24.1.1 is the sonicwall 21:49 <+pekster> fu_fu: Looks right for a 32-bit install on a 64-bit installation. I use D:\Apps\ for all my installs, so that's wrong anyway for me ;) 21:49 <+pekster> See the output of the 'set' command in cmd.exe for details 21:50 <+pekster> jgspratt1: Then you need to fix that sonicwall device so it's correctly routing the traffic, not spitting back an icmp-redirect to the source 21:50 < jgspratt1> pekster: if I see " inet addr:10.25.8.1" on the server on the 10.25 side of things, should my route in the sonicwall take 10.0.0 to 10.25.8.1? 21:51 < jgspratt1> Right now, I have the "gateway" for 10.0.0 traffig going to 10.25.8.1 21:51 <+pekster> The route on the server-side LAN's default gw (your sonicwall I think?) needs to route the VPN network via the IP of the VPN server 21:52 < jgspratt1> pekster: which IP of the VPN server? 21:52 <+pekster> The one on the same network segment; gateways are always on your local network 21:53 < jgspratt1> server: http://hastebin.com/bocefawoto.sm 21:53 <@vpnHelper> Title: hastebin (at hastebin.com) 21:53 < jgspratt1> They are both on the same network segment: 10.25 21:53 <+pekster> You can't do that 21:53 < jgspratt1> I'm assuming tun0, but I've been wrong before 21:53 <+pekster> Put your VPN in a non-conflicting IP range 21:53 < jgspratt1> Why not? 21:53 <+pekster> It doesn't work 21:53 <+pekster> !tcpip 21:53 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 21:54 <+pekster> How the heck does the routing table know "which" 10.25.8.1 to use? Is it the VPN IP with that address, or the LAN device? 21:54 < jgspratt1> It won't conflict. I've mapped 10.25.8.0/24 as the VPN. 21:54 <+pekster> Yes, it will, because that network is a *part* of 10.25/16 21:54 <+pekster> Don't do that. Thta's the reason things are broken 21:55 <+pekster> It's as if you had 2 blocks both called "First" street in a city. Even if one block only goes for 20 feet and has a single house, how does the post office know "which" house to deliver a package to if there are 2 houses both called "500 First Street" ? 21:55 < jgspratt1> Ok, my bad. The sonicwall VPN works that way, so I assumed... 21:56 <+pekster> The device didn't do anything; someone configured the VPN and network information to use those addresses ;) 21:56 < jgspratt1> Ok, so the entire east coast IP range is 10.24.0.0 thorugh 10.31.255.255. 21:57 < jgspratt1> What IP range should I assign to the OpenVPN? 21:57 <+pekster> I can't speak to the rest of your setup. Just don't use overlapping networks on any device that is within the routing scope of your usage 21:57 < jgspratt1> How is the sonicwall supposed to know how to route traffic to an IP that isn't on one of it's interfaces? 21:58 < jgspratt1> If 10.24.1.101 comes in and asks to go to 10.0.0.10, I need it to go to the OpenVPN somehow. 21:58 <+pekster> By adding a route. That link I had the bot paste above is a good place to start if you don't understand basic TCP/IP routing 21:59 < jgspratt1> Which interface to I put the route's destination on? 21:59 <+pekster> What is 10.0.0.10? The link you showed me isn't the OpenVPN server you're talking about? 22:00 < jgspratt1> Some of the links I showed you were. 22:00 < jgspratt1> 10.0.0.10 is on the 10.0.0.0/24 network: west coast data center 22:00 < jgspratt1> 10.24-10.31 is east coast 22:01 < jgspratt1> I'm trying to bridge the east and west coast datacenters. 22:01 <+pekster> That last link, at http://hastebin.com/bocefawoto.sm, shouldn't be overlapping networks like that. Put your PtP links on a non-conflicting network, and add route statements at either end to route to the range(s) accessible at the opposing via the IP of the pper 22:01 <@vpnHelper> Title: hastebin (at hastebin.com) 22:01 <+pekster> Besides firewalls, that's all you have to do 22:02 < jgspratt1> What interface should I make the route go to? 22:02 <+pekster> Your tun interface. OpenVPN takes care of that for you 22:02 <+pekster> 'route $remotely_accessible_network $remote_netamsk' 22:02 < jgspratt1> On the SONICWALL X3, for example, is 10.25, which is where the 10.25.1.101, the physical server hosting the openvpn. 22:02 <+pekster> Do that for any ranges you need, and you're done 22:03 < fu_fu> pekster thanks for the addtap help, i'm stoked 22:03 < jgspratt1> Good ol' 10.25.1.102 doesn't know how to get to 10.0.0.10, so he sends packets to his gateway, 10.25.1.1. Which interface should the gateway forward those packets to? 22:03 < fu_fu> are there issues with running TAP links and TUN links with the same windows service? 22:04 <+hazardous> 10.0.0.1? 22:04 < jgspratt1> pekster: those routes are working on the client, exactly. 22:04 < jgspratt1> hazardous: an ip address is not an inteface 22:04 <+pekster> The IP is on an interface that the kernel knows about 22:04 <+pekster> You don't route "to an interface" 22:04 <+pekster> You route to an IP that is turned into a L2 MAC address via ARP (at least on Ethernet/TCPIP networks) 22:05 < jgspratt1> In the sonicwall routing, I need to add an interface 22:05 < jgspratt1> and I know for a fact this was working before I moved this datacenter 22:05 <+pekster> Then type 'ifconfig' or 'ip addr show' or whatever sonicwall's command is to show you interfaces and figure out what interface it's on 22:05 <+pekster> It's really not hard 22:06 < jgspratt1> pekster: but I am being told to put the IP of the openvpn server outside of the ranges that are actually on my network. 22:06 <+pekster> Forgive me if this sounds like it's not going anywhere, but you're asking very, very basic networking questions that you should really already know before configuring OpenVPN in a complex network topology like this 22:07 < jgspratt1> Let's use examples. say I use 10.28.1.1 as my openvpn server address, which I haven't used any of yet. How could the sonicwall route to that? 22:08 < fu_fu> show interface info or show interface details 22:08 <+pekster> That's just a virtual address. The device needs a physical address 22:08 <+pekster> You route to the address on the physical link 22:08 < jgspratt1> fu_fu: I know all my interface details by heart. 22:08 < fu_fu> right on 22:08 < jgspratt1> which one do you want to know the details of? 22:09 < fu_fu> i'll stay out of it 22:09 <+pekster> I can't really help you if you don't understand how to identify the local IP of a server on your LAN as the target of a route command 22:09 < jgspratt1> are you serious? 22:09 < jgspratt1> you think I make six figures doing networking and I don't know how to ID an IP? 22:10 <+pekster> "what interface do I use?" Seriously? 22:10 <+pekster> You use the interface of the LAN that that IP is reachable on 22:10 <+pekster> I don't give a crap where you work, how much you make, or where you got your degree. Your server-side LAN's remote gateway needs a route that sends traffic BOUND FOR your remote network ranges *via* your VPN server's IP on that LAN 22:11 < jgspratt1> Makes sense to me, sure. Now, give me an example IP to use for the server that won't conflict. 22:11 <+pekster> Is your network all a subset of 10/8? Just use 172.29.0.1 and 172.29.0.2. Done. Now they don't conflict 22:11 <+pekster> Next problem? 22:12 < jgspratt1> Tell me what rule to write in my sonicwall gateway please 22:12 <+pekster> The gateway where, on the server-side LAN? 22:12 <+pekster> The LAN you're trying to expose? 22:12 < jgspratt1> server-side, east coast 22:12 <+pekster> No clue what 'east coast' is. I've seen a single config file 22:13 < jgspratt1> It's on the 10.25 (X3) network. 22:13 <+pekster> Do you mean how to add a route on 10.25/16's default gateway for the remote network? This 10.0.0.0/24 ? 22:14 < jgspratt1> Right. I tried saying 10.0/24 goes to 10.25.8.1 on X3, but clearly that was wrong. 22:15 <+pekster> 'ip route add 10.0.0.0/24 via 10.25.1.101' 22:15 <+pekster> That's after you fix your conflicting networks, of course 22:15 < jgspratt1> So, the OpenVPN is accepting packets on its eth0, not its tun? 22:15 <+pekster> The HOST is 22:15 <+pekster> !tcpip 22:15 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 22:16 <+pekster> !101 22:16 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 22:17 <+pekster> I don't really think it's fair that I'm doing your basic networking homework for your company and not getting paid for it 22:17 < jgspratt1> I'm assumed tun0, but I've been wrong before 22:21 <+pekster> fu_fu: Sorry, missed your question in this mess. What do you mean running a tun and tap in the same service? You mean having the service start 2 separate configs, one using tun and another tap? Sure, nothing wrong with that at all 22:22 <+pekster> Personally I prefer having more direct control over each process so I can restart/signal them independent of each other, but if you don't need such a feature, the service can manage them both "at once" for you as a master start/stop switch 22:22 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 22:22 -!- mode/#openvpn [+o krzee] by ChanServ 22:23 < fu_fu> i prefer starting them as a daemon, but i need to be able to logoff and the daemon logs off as well, maybe I should set up some scripts for them or making my own services 22:24 < fu_fu> i like to see the running logs on screen too, wish there was a management inteface of some sort, with multiscreens and fancy junk like that 22:25 <+pekster> There is a management interface ;) 22:25 <+pekster> !management 22:25 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN 22:25 <+pekster> You can also just log to a file and read that if you only care about the logs 22:26 <+pekster> Otherwise just use the standard OpenVPN-GUI tool if you want a tray icon that lets you start them as you need and terminates them on logoff 22:26 <+pekster> Or write your own scripts. Plenty of options ;) 22:30 < fu_fu> so the service can start client and server scripts at the same time? just checking before i start a new design 22:30 <+pekster> fu_fu: Yup. See: http://openvpn.net/index.php/open-source/documentation/install.html?start=1 22:30 <@vpnHelper> Title: Installation Notes - Installation (Win32) (at openvpn.net) 22:31 <+pekster> Your 3 basic options are: 1) OpenVPN-GUI, 2) via command line (or an app/script you write that calls the command directly,) or 3) system service 22:31 <+pekster> Each are outlined there 22:34 < jgspratt1> pekster: as much as I try, I still get that redirect host message when pinging. 22:34 < jgspratt1> I'm using your address scheme, but I don't seem to get a reply 22:35 <+pekster> I no longer care. You've clearly made a routing mistake somewhere, which isn't surprising given your prior problems overlapping networks and having problems understanding how routing works 22:35 < jgspratt1> 10.25 -> 10.0 network gets redirect host (sonicwall is saying that), and 10.25 <- 10.0 only goes to 10.25.1.101, not, for example, .102 22:35 < fu_fu> cool thanks, i have read these but i am used to windows lately, they tend to leave out what you can NOT do in the docs. i try to ask my goal specifically for this reason. nothing i have yet seen with a few weeks dealing with OpenVPN indicates the same issue tho. Kudos 22:37 <+pekster> fu_fu: Sure. All 3 systems work, and you can configure them to do what you want. Pick one that seems to best meet your needs, then modify it to suit your specific purpose. No way to launch openvpn is "wrong", but some might be more work for your particular end-goals 22:38 < jgspratt1> Well, for anyone who does care to lend a hand: Here are my routing tables on the client and server: http://hastebin.com/gadalaxelu.vala 22:38 <@vpnHelper> Title: hastebin (at hastebin.com) 22:39 < jgspratt1> I'm trynig to get 10.0.0.10 to go to the tun and then to 10.25.1.102 (and then back). I'm afraid that the "and then back" is the problem. 22:39 < jgspratt1> 10.25.1.101 knows to send things "back" to 10.0/24 via it's openvpn, but .102 doesn't. 22:40 <@krzee> understand this well: 22:40 <@krzee> !route 22:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 22:40 < jgspratt1> I tried to set the Sonicwall to route stuff headed to 10.0/24 to go to the listeinng 10.25.1.101, where the "local 10.25.1.101" I sset. 22:41 < jgspratt1> allright, give me some minutes to read that. 22:44 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 22:45 < jgspratt1> "The answer is iroute!" --this makes sense to me, but I know for a fact (via Github) that this was never in the server.conf file although we are client-to-client. 22:48 < jgspratt1> is the "common name" the hostname? trying to figure out what to call the ccd/ file 22:48 <@krzee> common-name is whatever you made it when making your certs 22:50 < jgspratt1> ah, right 22:58 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:01 < jgspratt1> krzee: ok, I setup iroute 23:02 < jgspratt1> http://hastebin.com/rumifebina.hs 23:02 <@vpnHelper> Title: hastebin (at hastebin.com) 23:02 < jgspratt1> That file should be sent to the client. 23:02 < jgspratt1> However, machines on the east coast still cannot get back to the west coast 23:02 <@krzee> !clientlan 23:02 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 23:02 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 23:02 <@krzee> follow the flowchart 23:02 <@krzee> i dont have time to walk you through stuff 23:03 * rob0 follows the flowchart 23:03 < jgspratt1> Right, I saw that chart. I did the step "add a route to the router so it knows how to reach the vpn subnet" 23:03 <@krzee> but i did write !route and made the flowcharts in !clientlan and !serverlan if you understand the basics of routing thats all you should really need 23:03 <@krzee> good luck to ya, i need to go test my new product line :D 23:04 < jgspratt1> The route I wrote was if going to 10.0.0.0/24, go to 10.25.1.101 23:04 < jgspratt1> That's the OpenVPN server eth0, however, no packets can actually make it back. 23:04 <+rob0> are you looking at the flowchart? 23:04 < jgspratt1> Yep! 23:05 < jgspratt1> I have it on my screen right this very moment, sir. 23:06 <+rob0> I don't, but I recall seeing something on it about enabling IP forwarding. 23:07 < jgspratt1> rob0: does http://hastebin.com/vecelijumu.coffee indicate that I'm doing it wrong? 23:07 <@vpnHelper> Title: hastebin (at hastebin.com) 23:12 <+rob0> does that say something about enabling IP forwarding on 10.25.1.101? What OS is 10.25.1.101? 23:13 < jgspratt1> 10.25.1.101 is Ubuntu 23:13 <+rob0> !linipforward 23:13 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 23:13 <+rob0> "cat /proc/sys/net/ipv4/ip_forward" 23:16 < jgspratt1> Ok, I enabled ip forwarding on the openvpn server 23:17 < jgspratt1> I'm still getting a similar problem 23:18 < jgspratt1> Here's the client: http://hastebin.com/moxisolowe.rb 23:18 <@vpnHelper> Title: hastebin (at hastebin.com) 23:21 < jgspratt1> And the server is kind of freaking out route-wise: http://hastebin.com/voviludeho.vhdl 23:21 <@vpnHelper> Title: hastebin (at hastebin.com) 23:23 <@krzee> if you *just* enabled ip forwarding 23:24 <@krzee> after following the flowchart and stating that you enabled a route on the router (which comes after ip forwarding on the flowchart) 23:24 <@krzee> then you basically proved that following directions in order is not your strong suite 23:24 <@krzee> in which case, best of luck to ya dude, i doubt this is for you :-p 23:26 < jgspratt1> Well, you said to enable IP forwarding in my OpenVPN host which is not my firewall 23:26 < jgspratt1> At least, it's not what I call my firewall on a day-to-day basis. 23:26 < jgspratt1> That's what I call my SonicWALL. 23:27 <@krzee> do you know what ip forwarding is / does? 23:27 < jgspratt1> But, fair enough, you suggested to enable it on my Ubuntu machine so I did. 23:28 <@krzee> ip forwarding is needed on any machine that is expected to allow packets to traverse from 1 network device to another 23:28 < jgspratt1> I'm not sure what enabling that does, no, because this was working before I moved datacenters. It doesn't seem to be how this setup is intended to be by the guy who set it up originally. 23:28 <@krzee> whether that means your "ubuntu machine" is up to you to figure out -[ 23:28 <@krzee> =]* 23:29 < jgspratt1> Gotcha, so, promiscuous accepting of packets and forwarding them 23:29 <@krzee> promiscuous? 23:29 <@krzee> i think you just mis-used that word, but ok 23:29 < jgspratt1> Fair enough, sure. Anyway, it takes packets and routes them now. 23:30 < jgspratt1> Is it OK that I'm at the "Add a route to the router..." step now? 23:30 <@krzee> no idea 23:30 <@krzee> try starting over and following the directions 23:30 <@krzee> step by step, starting at the top 23:30 < jgspratt1> I'll go from the top, sure. 23:32 < jgspratt1> Yeah, I'm pretty sure I'm in the right spot. I can ping 172.16.0.8, which is the client VPN IP. 23:32 < jgspratt1> I pushed out the routes 23:33 < jgspratt1> I see the iroute config is correct: internal route 10.0.0.0/24 -> 23:33 < jgspratt1> Can I ping the lan IP of the client? no. 23:33 < jgspratt1> Turn on IP forwarding, done. 23:34 < jgspratt1> Can I ping the lan IP of the client? Still no. 23:34 <@krzee> check client firewall 23:34 <@krzee> also check ip forwarding in that firewall 23:34 < jgspratt1> Is my client my firewall also? 23:35 <@krzee> grrr i need one of my users to get around so we can test my shit! 23:35 <+rob0> any Linux machine can have an iptables firewall 23:35 < jgspratt1> Oh, now I see what you mean by firewall here. I was thinking appliance. 23:36 < jgspratt1> Ok, it was already set on the client to forward. 23:44 < jgspratt1> rob0: I'm still stuck with no ping. I've tried many settings. 23:59 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn --- Day changed Wed Jan 09 2013 00:00 < jgspratt1> rob0: now I'm getting this: http://hastebin.com/naxacariku.vbs 00:00 <@vpnHelper> Title: hastebin (at hastebin.com) 00:01 < jgspratt1> so, I can actually get from the east coast to the west coast. 00:01 < jgspratt1> going the oppoiste way seems to be the problem. 00:11 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 256 seconds] 00:12 -!- HyperGlide [~HyperGlid@182.151.60.13] has joined #openvpn 00:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds] 00:16 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 00:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 00:59 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Ping timeout: 256 seconds] 01:00 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 01:01 -!- HyperGlide [~HyperGlid@182.151.60.13] has quit [Remote host closed the connection] 01:10 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 244 seconds] 01:28 -!- cornfeed [~cornfeed@unaffiliated/cornfeed] has quit [Ping timeout: 255 seconds] 01:29 -!- medum [kevin@2607:f2f8:a4c4::2] has quit [Ping timeout: 246 seconds] 01:30 -!- cornfeed [~cornfeed@unaffiliated/cornfeed] has joined #openvpn 01:31 -!- medum [kevin@n2l.org] has joined #openvpn 01:34 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 01:34 -!- winter_ [gigas@openvpn/user/winter] has quit [Quit: leaving] 01:41 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 01:45 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 01:47 -!- ade_b [~Ade@95.209.134.79.bredband.tre.se] has joined #openvpn 01:47 -!- ade_b [~Ade@95.209.134.79.bredband.tre.se] has quit [Changing host] 01:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:02 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 246 seconds] 02:04 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 246 seconds] 02:05 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has joined #openvpn 02:22 < Halagan> Hi guys, i have a problem with Safenet iKey1032 problem with loging to vpn with certificate. We installed last version of iKey1000SDK (4.2.0) for iKey 1032 under OS Windows 7 x64. 02:22 < Halagan> App installed correctly and utility shows some information about token. 02:22 < Halagan> We have openvpn certificate on this iKey and we use this certificate to login in vpn site. 02:22 < Halagan> When we run openvpn client, it appear error with message “the ordinal 322 could not be located in the dynamic link library libeay32.dll”. So I copied this file and file ssleay32.dll from windows\system32 to openvpn\bin, where I replaced original openvpn files. Then i started again openvpn client, and opevpn daemon crash with error. We use openvpn-2.2.2-install.exe, but I have also tried version openvpn-install-2.3_rc1-I003-x86_6 02:22 < Halagan> 4.exe with the same results. Under OS Windows XP 32 bit with iKey1000SDK (4.0.0.4) run this certificate on token without problems. I tried to install the latest library openssl for 32 and 64 bit OS Windows from site http://slproweb.com/products/Win32OpenSSL.html, of course i installed additional recommended library (Visual C++ 2008 Redistributables x32 a x64). Please suggest me solution. Thanks. 02:25 <+pekster> Halagan: How are you starting OpenVPN? Are you using the OpenVPN GUI from your Windows tray icon? When you install OpenVPN, it uses its own bundled copy of OpenSSL so you don't need to install that seperately 02:28 < Halagan> I am starting OpenVPN with config file .ovpn. 02:29 <+pekster> Okay. It sounds like there might be a problem tying the smartcard you're using with the SSL library. I have 2 suggetsions: first, try downloading the latest 2.3.0 (just recently released the last couple of days) and see if that changes anything. 2nd, try using the 32-bit version, in case there's some 64/32-bit conflict with your smartcard libraries 02:30 <+pekster> I'm guessing at both of those solutions, but it doesn't sound like an OpenVPN issue, more like an issue interacting with the PKCS11 provider (ie: your smartcard.) 02:30 <+pekster> I assume you've already tested your smartcard on the client software, and it's working normally? 02:33 < Halagan> Under OS Windows XP client works fine without problems. You mean OpenSSL version 2.3.0 ? 02:33 <+pekster> No, you listed an OpenVPN "rc", or Release Candidate version. The official 2.3.0 version is now available for download 02:33 <+pekster> !download 02:33 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 02:33 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 02:34 <+pekster> If it's working under XP, your smartcard might only work properly with a 32-bit SSL library. You can't just replace the library with the one your smartcard suite uses becuase OpenVPN is compiled specifically against the version of the dll provided by the installer (ie: you can't just drop in a 32-bit version and expect your 64-bit OpenVPN.exe to work) 02:35 <+pekster> Try the 2.3.0 OpenVPN version for 32-bit, not 64. Completely uninstall your current OpenVPN version, then install that 02:35 <+pekster> It might just work 02:37 < Halagan> Okay, i try it. Thanks. If that does not work, the i'll bother again :-) 02:37 <+pekster> Well, if that doesn't work it's a more subtle (and harder to solve) problem 02:39 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 02:59 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 02:59 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 02:59 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 02:59 -!- mode/#openvpn [+o krzee] by ChanServ 03:01 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:14 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 03:21 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 03:26 < IT> back 03:26 < IT> morning guys 03:37 -!- Suterusu1 [~EyeR@178.63.199.61] has joined #openvpn 03:37 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:38 -!- n2deep_ [n2deep@odin.sdf-eu.org] has joined #openvpn 03:40 < IT> @ecrist, major breakthrough, that route correction solved the problem and now i can ping between gateways 03:40 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has left #openvpn [] 03:42 -!- Netsplit *.net <-> *.split quits: Suterusu, nutron, n2deep 03:48 < IT> @ecrist, can't ping other machines behind the gateways tough :( 03:48 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 03:49 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 03:49 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 03:55 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 04:19 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 04:23 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Quit: leaving] 04:24 -!- pi_ [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 04:24 -!- pi_ is now known as videl 04:29 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds] 04:34 -!- dazo_afk is now known as dazo 04:42 < IT> i'm stuck at this particular step http://imagehost.pitestinet.ro/images/m1vdzvvgdwfduni6yi4.png can i have an example of this? 04:46 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:55 <@dazo> IT: you need to log into your router ... and add in an explicit route there of your VPN subnet and tell the router to send that traffic to your OpenVPN server's LAN IP 04:56 <@dazo> (that route will be an additional route to whatever you already have there) 04:56 <@dazo> how that is done on your router is out of the scope for this channel, though ... as we don't support routers here, just openvpn setups 04:58 <@dazo> krzee: ... I got an idea for your troubleshoot images .... add a number on each of the blocks ... then it's easier to point at which step people stops at 05:01 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 05:02 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 05:21 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Quit: Leaving] 05:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 05:29 -!- neverme [neverme@177.182.56.94] has joined #openvpn 05:30 < neverme> Hi, I would like to know if its possible to use a single Instance of OpenVPN with multiple public IPs ? Like I want client A to use the outbound IP 1, client B to use IP 2 and so on, or do I have to create 1 VPN to each IP ? 05:39 -!- neverme [neverme@177.182.56.94] has quit [Quit: Leaving] 05:48 < Rienzilla> is possible with one server instance I guess 05:54 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 06:05 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 06:07 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 06:11 < thermoman> why does easyrsa-2.0 create a 01.pem, 02.pem etc besides the name.crt files? 06:12 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Ping timeout: 248 seconds] 06:18 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 06:52 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 06:52 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 06:53 <@ecrist> IT: pastebin another traceroute from one LAN machine to a LAN machine on the other network. 07:04 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 07:08 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 07:09 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:10 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Client Quit] 07:11 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 07:15 < IT> ecrist: http://pastebin.com/7gJJfMb2 07:16 <@ecrist> IT: NOW is it a firewall issue? 07:16 < IT> i stopped the firewall ... 07:16 <@ecrist> !iptables 07:16 <@vpnHelper> "iptables" is (#1) to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z or (#2) please see http://openvpn.net/man#lbBD for more info or (#3) you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables or (#4) These is just the 07:16 <@vpnHelper> basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables 07:17 <@ecrist> can you pastebin your configs again? 07:19 < IT> ofc http://pastebin.com/BUxV6x8X 07:23 < IT> pfff 07:23 < IT> i'm such a retard, i forgot one firewall on LAN2 07:23 <@ecrist> the pastebin above (pings/traceroute) seems to indicate you can only ping from one side to the other, and not both directions 07:23 < IT> it's down, let me retest 07:23 < IT> aaaaaaaand it's working 07:23 <@ecrist> :) 07:23 <+rob0> yay 07:24 < IT> yes! 07:24 < IT> they are all working! :x:X:X:X 07:24 <@ecrist> quoting our /topic: Your problem is probably your firewall, really 07:24 <@ecrist> ;) 07:24 < IT> =)) 07:24 <@ecrist> IT: now, don't you feel better prepared to resolve future issues than if you'd paid someone to do it for you? 07:25 < IT> /respect level +1 for ecrist and rob0 07:25 < IT> hell yea 07:25 < |Mike|> lol 07:25 <@ecrist> !donate 07:25 <@vpnHelper> "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel. or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc. or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors 07:25 < IT> took me 3 weeks to solve it, but atleast i got a good glipmse of it 07:29 <@ecrist> glad you got it working, IT 07:30 < IT> ecrist are you part of the staff? 07:30 <@ecrist> yes 07:31 <@ecrist> I run the community services, like IRC, the secure-computing wiki, and community infrastructure 07:31 < |Mike|> now he's going to make your an offer *g* :P 07:31 <@ecrist> I'm also the easy-rsa maintainer 07:32 < IT> check paypal in a few moments 07:32 < IT> thanks again 07:32 <@ecrist> also, feel free to check /msg chanserv info #openvpn 07:33 < IT> you lost me there, i'm a irc noob 07:35 < jgspratt1> Hello, I am having a problem with http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing and http://ircpimps.org/clientlan.png . client.conf: http://hastebin.com/qaciwiwugu.vala ; server.conf: http://hastebin.com/papugiroce.vala ; server networking: http://hastebin.com/tacimotaki.sm ; client networking: http://hastebin.com/butabiqore.sm 07:35 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 07:35 < jgspratt1> The problem is in the last link: I can't ping 10.25.1.102 from 10.0.0.10 07:36 < jgspratt1> interestingly, on another miscellaneous box on the server-side LAN, I can get to 10.0.0.10: http://hastebin.com/yibefikemo.vhdl 07:36 <@vpnHelper> Title: hastebin (at hastebin.com) 07:37 <@ecrist> IT, type /msg and the rest of that line 07:37 < jgspratt1> (and by "last link" I mean last URL posted) 07:37 < IT> done that :P 07:42 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 07:42 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has left #openvpn [] 07:42 < jgspratt1> In fact, the http://ircpimps.org/clientlan.png doesn't seem to cover my problem: I can answer "yes" to all of the questions now, and I get to "it works!" 07:43 < jgspratt1> But, the client can't get respnoses from arbitrary hosts on the server side 07:43 < jgspratt1> Is OpenVPN even able to do that? 07:43 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 07:44 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 07:48 < jgspratt1> Also, I don't understand why traceroute treats 10.25.1.101 and 10.25.1.102 differently in the trace. 07:48 < jgspratt1> http://hastebin.com/lisivovime.rb 07:48 <@vpnHelper> Title: hastebin (at hastebin.com) 08:06 <@ecrist> jgspratt1: firewall? 08:06 < jgspratt1> ecrist: iptables are off and I have included the ip forwarding in both the server and the client. 08:07 <@ecrist> !diagram 08:07 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 08:09 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 08:10 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 08:10 < jgspratt1> ecrist: http://hastebin.com/rotiyaqefa.1c 08:10 <@vpnHelper> Title: hastebin (at hastebin.com) 08:11 < jgspratt1> I had this all working before moving this data center to a new location and changing the IP addressing scheme on the server side to what it is now. 08:11 < jgspratt1> Basically, 10.25.1.102 can get to both clients, but 10.0.0.10 can only get to 10.25.1.101 08:14 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 08:16 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds] 08:23 < jgspratt1> ecrist: so, do you think my problem is with the route on the router? "add a route to the router so it knows how to reach the vpn subnet" (from http://ircpimps.org/serverlan.png ) 08:23 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Quit: Leaving] 08:27 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has joined #openvpn 08:28 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has joined #openvpn 08:28 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has quit [Changing host] 08:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:29 -!- DX099 [~DX099@2a01:e35:2eaf:e400:3dee:8180:898d:1df2] has joined #openvpn 08:29 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 08:29 < DX099> hello 08:29 < DX099> I have some problems connecting to some servers. My open-vpn client says something about timeout but I suspect port forwarding problems 08:30 < DX099> do I have to have some ports open ? How can I specify the server the range of ports that are available for it to connect to ? 08:30 <@ecrist> jgspratt1: can you post a traceroute for the failure? 08:31 < jgspratt1> ecrist: that's in http://hastebin.com/butabiqore.sm 08:31 <@vpnHelper> Title: hastebin (at hastebin.com) 08:31 < jgspratt1> "traceroute to 10.25.1.102" part starting at line 71 08:31 < jgspratt1> What should be in my ccd/ file for this client? 08:31 <@ecrist> when you say "10.25.1.102 can get to both clients" what do you mean? 08:32 < jgspratt1> I mean it can ping/ssh to 10.0.0.10 and 10.0.0.18 08:33 <@ecrist> which pastebin has your configs? 08:34 < jgspratt1> client.conf: http://hastebin.com/qaciwiwugu.vala ; server.conf: http://hastebin.com/papugiroce.vala 08:34 <@ecrist> is ip_forwarding enabled on your vpn server? 08:34 <@vpnHelper> Title: hastebin (at hastebin.com) 08:34 < jgspratt1> yes 08:34 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 08:34 <@ecrist> ugh 08:34 <@ecrist> !configs 08:34 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 08:35 <@ecrist> I'll put up with them for now, but in the future, remove all the comments 08:35 < jgspratt1> Thanks, will do. 08:35 < IT> does openvpn has any bandwight limitation buildin? 08:36 <@ecrist> you need to add the line route 10.24.0.0 255.248.0.0 to your server config 08:36 < jgspratt1> Most recently, I had http://hastebin.com/webisidano.hs as my ccd file for the lone client 08:36 <@vpnHelper> Title: hastebin (at hastebin.com) 08:36 <@ecrist> you're pushing it, but you're not allowing openvpn to route it 08:36 <@ecrist> so, VPN clients are sending traffic to the VPN server for the subnet, but the server is dropping the traffic 08:37 < jgspratt1> oh, that makes sense. so, openvpn doesn't just "use" the linux routes? 08:37 <@ecrist> not internally 08:37 < jgspratt1> how can I see what routes it is using interally? is there a command for that? 08:38 <@ecrist> how about you just trust me 08:38 <@ecrist> it's using what you tell it to use in the config 08:40 < jgspratt1> Sounds good. Ok, I set that up, shipped the conf file, and restarted the server and client. Same issue. 08:41 <@ecrist> show me the new config, please 08:41 <@ecrist> and the CCD 08:41 <@ecrist> also 08:41 <@ecrist> !logs 08:41 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:45 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds] 08:46 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 08:46 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 08:46 -!- mode/#openvpn [+v hazardous] by ChanServ 08:47 < jgspratt1> new server.conf: http://hastebin.com/cahixuxace.hs ; current ccd: http://hastebin.com/webisidano.hs ; server log: http://hastebin.com/qixihofogu.vbs ; client log: http://hastebin.com/juyifanobi.md 08:47 <@vpnHelper> Title: hastebin (at hastebin.com) 08:50 < jgspratt1> Is that CCD route wrong? 08:50 < jgspratt1> I tried taking it out just now. 08:50 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 08:50 < jgspratt1> If I take it out, the client logs this: http://hastebin.com/jasogemaho.pas 08:50 <@vpnHelper> Title: hastebin (at hastebin.com) 08:50 * ecrist looks 08:51 <@ecrist> jgspratt1: for every push "route..." you have, you need a corresponding route line 08:52 <@ecrist> also, your version of OpenVPN is out of date 08:52 < jgspratt1> ecrist: ok, fair enough, how's this: http://hastebin.com/yexerafipa.hs 08:52 <@vpnHelper> Title: hastebin (at hastebin.com) 08:53 <@ecrist> jgspratt1: did you see line 34 in your server log? 08:53 <@ecrist> that's probably your routing issue 08:54 < jgspratt1> Oh, good call. How did I create that overlap? 08:54 <@ecrist> you tell me 08:54 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds] 08:55 < jgspratt1> Well, I specify that the local VPN has a range of 10.24.0.0/255.248.0.0 08:55 < jgspratt1> But the remote VPN is 10.0.0.0/24 08:55 <@ecrist> yeah, there's your overlap 08:55 < jgspratt1> But it says the "remote" VPN is in issue. 08:55 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has joined #openvpn 08:56 <@ecrist> openvpn seems to thing you're using 10.24.0.0/255.248.0.0 08:56 < jgspratt1> That's on a different LAN, right? 08:56 < jgspratt1> That's the entire local LAN, yes. 08:56 < jgspratt1> I want hosts to be able to get there. 08:56 -!- MarKsaitis_ [~MarKsaiti@81.101.81.114] has quit [Read error: Connection reset by peer] 08:56 < jgspratt1> From the remote side. 08:56 <@ecrist> i've gotta scoot for a bit, bbl 08:57 < jgspratt1> If I want to achieve http://hastebin.com/rotiyaqefa.1c where each host on that network can get to any other host, what's wrong with my config? 08:57 <@vpnHelper> Title: hastebin (at hastebin.com) 08:58 -!- MarKsaitis [~MarKsaiti@81.101.81.114] has quit [Read error: Operation timed out] 08:59 < jgspratt1> I should add to that diagram a bit: http://hastebin.com/mubijulata.1c 09:00 <@vpnHelper> Title: hastebin (at hastebin.com) 09:00 < jgspratt1> Can someone suggest a server config that would achieve this? 09:02 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 09:05 -!- niervol [~krystian@193.106.244.150] has quit [Remote host closed the connection] 09:10 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 09:11 < jgspratt1> How does what I'm doing disagree with what http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing is suggesting? 09:11 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 09:18 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:19 -!- jgspratt [~jgspratt@66.162.71.166] has joined #openvpn 09:19 -!- jgspratt1 [~jgspratt@66.162.71.166] has quit [Read error: Connection reset by peer] 09:22 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 246 seconds] 09:28 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 09:28 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 09:31 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 09:35 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:35 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:37 -!- DX099 [~DX099@2a01:e35:2eaf:e400:3dee:8180:898d:1df2] has quit [Quit: DX099] 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:38 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Remote host closed the connection] 09:38 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:39 < jgspratt> How does what I'm doing disagree with what http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing is suggesting? 09:39 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 09:42 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Client Quit] 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:42 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 09:42 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 09:46 < jgspratt> Can someone suggest a server config that would achieve this? 09:46 < jgspratt> I'm trying to be able to ping from 10.0.0.10 to 10.25.1.102: http://hastebin.com/mubijulata.1c 09:46 <@vpnHelper> Title: hastebin (at hastebin.com) 09:48 < |Mike|> !configs jgspratt 09:48 < |Mike|> !tell jgspratt configs 09:49 < |Mike|> hrm, syntax changed? 09:49 < jgspratt> |Mike| wants me to tell you: configs 09:49 < jgspratt> But, sure, I can repost them, hang on. 09:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:49 < |Mike|> !configs 09:49 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 09:49 < |Mike|> !logs 09:49 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:50 < jgspratt> server: http://hastebin.com/yexerafipa.hs ; current ccd: http://hastebin.com/webisidano.hs ; server log: http://hastebin.com/qixihofogu.vbs ; client log: http://hastebin.com/juyifanobi.md 09:50 <@vpnHelper> Title: hastebin (at hastebin.com) 09:50 < jgspratt> I've also tried the ccd as just "iroute 10.0.0.0 255.255.255.0" 09:52 < jgspratt> Is what I'm trying to do possible with OpenVPN or do I need something commercial? 09:52 < jgspratt> I see the warning "WARNING: potential route subnet conflict between local LAN [10.25.1.0/255.255.255.0] and remote VPN [10.24.0.0/255.248.0.0]" 09:52 < jgspratt> That must come from push "route 10.24.0.0 255.248.0.0" ; route 10.24.0.0 255.248.0.0 09:53 < jgspratt> However, those /are/ the LAN IP ranges on my server-side that I want my clients to be able to get to. 09:58 < jgspratt> |Mike|: here is an updated server log from a restart with the simple CCD: http://hastebin.com/jocavaraba.vbs 09:58 <@vpnHelper> Title: hastebin (at hastebin.com) 10:06 < jgspratt> How do I correctly specify the openvpn settings for my network topology? 10:06 < |Mike|> !topology 10:07 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 10:07 < |Mike|> sorry, i'm a bit in a hurry here 10:07 < jgspratt> How can I avoid this network overlap problem but still be able to use openvpn to do something useful 10:08 < jgspratt> Is the server conf line `push "route 10.24.0.0 255.248.0.0"` correct or not? 10:09 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 10:09 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds] 10:10 -!- Azrael808 [~peter@212.161.9.162] has quit [Client Quit] 10:11 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:13 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 10:13 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 10:13 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 10:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn 10:19 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 240 seconds] 10:21 -!- master_of_master [~master_of@p57B53BBC.dip.t-dialin.net] has quit [Ping timeout: 260 seconds] 10:23 -!- master_of_master [~master_of@p57B54741.dip.t-dialin.net] has joined #openvpn 10:31 < jgspratt> Is there a way to fix thisa? 10:37 < jgspratt> Can you use OpenVPN to make a "site-to-site" thingie? 10:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 10:47 -!- mode/#openvpn [+v s7r] by ChanServ 10:55 < jgspratt> anyone? 10:58 < chrisb> i use openvpn between a local host and a remote server 10:58 < jgspratt> chrisb: do you know what I'm doing wrong routing-wise? 10:58 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has quit [Read error: Connection reset by peer] 10:58 <@ecrist> jgspratt: if you read the !routing page throughouly, it should resolve your issues 10:59 <@ecrist> otherwise, I may be able to help again later today 10:59 < jgspratt> ecrist: yep, I read all of that 11:00 < jgspratt> can you explain why I'm getting the routing conflict? 11:00 < chrisb> jgspratt: i only route from a single local private net 192.168.x.x to the remote 11:00 < jgspratt> what should my server.conf say? 11:01 < jgspratt> with http://hastebin.com/mubijulata.1c should 10.0.0.10 be able to get to 10.25.1.102? 11:01 <@vpnHelper> Title: hastebin (at hastebin.com) 11:01 < jgspratt> chrisb: I'm trying to make that one client work for now. 11:02 < chrisb> oh, i see, it looks like addresses overlap...fix that conflict or NAT somehow 11:03 < jgspratt> "fix it"--can you offer any suggestions on a valid config? 11:03 < jgspratt> I realize and accept that my config is wrong. Granted. How do I make it correct based on my topology? 11:04 < jgspratt> What I'm trying to tell the client is "10.24/13 is on the server's network, go through the VPN tunnel" 11:05 < jgspratt> What the error says to me is "Your VPN server is on your destination network: it is 10.25.1.101 and your network is 10.24/13, so, error, error, that's an overlap." 11:06 -!- gojafe [~rasengan@eyearesee.com] has joined #openvpn 11:07 < chrisb> right, overlap, 11:08 < jgspratt> But that's actually the point. I am bridging the LANs. 11:08 < jgspratt> I want the server to be on the destination network. 11:08 -!- raidz_away is now known as raidz 11:08 < chrisb> they are subnets, as you have defined them 11:09 < jgspratt> Can you offer a valid config? 11:10 < chrisb> i can tell you are in a hurry, so I won't slow you down 11:10 < jgspratt> No, I've been doing this for a day 11:11 < jgspratt> No rush. Just looking for someone with more info than "your server is on the network you're trying to get to." 11:12 < jgspratt> To me, it looks like http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing is telling me to do what I'm doing. 11:12 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 11:12 < chrisb> i have only used openvpn in one configuration local private network to remote vps, the bridge network, point-to-point is 10.x.x.x and then the vps routes to the public internet 11:12 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:14 < jgspratt> let's assume I'm trying to do that. how can I make it so my client can talk to my server network? 11:15 < jgspratt> Specifically, what should my server settings be so that I don't get an overlap problem, but so that openvpn does something useful? 11:16 <@EugeneKay> Move your client off the destination network. 11:16 <@EugeneKay> It's a circular route problem 11:17 <@EugeneKay> If they're not the same LAN then they shouldn't have the same subnet. Using a bridge is the wrong solution here. Change one of the subnets and set up routing between the two LANs, via the openvpn server/client 11:17 <@EugeneKay> !route 11:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 11:19 < chrisb> https://en.wikipedia.org/wiki/Private_network#Merging_private_networks 11:19 <@vpnHelper> Title: Private network - Wikipedia, the free encyclopedia (at en.wikipedia.org) 11:20 < jgspratt> EugeneKay: Move my client? It is on 10.0.0.0/24 for eth0 and 172.16.0.0/24 for tun0 11:20 < jgspratt> Neither of those ranges are on the server's LAN 11:21 <@EugeneKay> The client thinks there's an overlap 11:21 < jgspratt> 10.24.0.0/13 is not on 10.0.0.0/24 11:21 <@EugeneKay> Are you sure it's actually /24? ;-) 11:22 < chrisb> jgspratt: check the bits 11:22 < jgspratt> Yeah. 11:22 < jgspratt> Ok, on what? 11:22 < jgspratt> iroute 10.0.0.0 255.255.255.0 11:22 < jgspratt> push "route 10.0.0.0 255.255.255.0" 11:22 < jgspratt> route 10.0.0.0 255.255.255.0 11:22 < jgspratt> That's /24 11:23 <@EugeneKay> Your error message says otherwise 11:23 <@EugeneKay> I see the warning "WARNING: potential route subnet conflict between local LAN [10.25.1.0/255.255.255.0] and remote VPN [10.24.0.0/255.248.0.0]" 11:23 < chrisb> jgspratt: you are the one with the routing problem 11:23 <@EugeneKay> Something isn't right there. Go fix it. 11:23 < chrisb> jgspratt: you couldn't route these with a regular router! 11:23 < jgspratt> The server can't be on the server's lan? 11:24 <@EugeneKay> Your VPN subnet should not be within any LAN subnet.... 11:24 <@EugeneKay> It should be a whole different block 11:24 < jgspratt> It's not. The tun interfaces are on 172.16.0.0/24 11:24 <@EugeneKay> Then what is 10.25.1.0/24? 11:25 < jgspratt> Part of 10.24.0.0/13, the server's LAN 11:25 < chrisb> oh mygod 11:25 <@EugeneKay> Is that error message from the server or the client? I'm confused 11:25 -!- chrisb [~chrisb@li482-205.members.linode.com] has left #openvpn ["rcirc on GNU Emacs 23.4.1"] 11:25 <@EugeneKay> And you can't have a /24 that's "part of" a /13. This is not how CIDR works. 11:26 <@EugeneKay> It's either a conflict or it's a different block 11:26 <@EugeneKay> Fix it. 11:26 < jgspratt> No, that's on the server's log 11:27 <@EugeneKay> So, why does the server think that 10.24.0.0/13 is a block that openvpn should be handling? ;-) 11:27 -!- arekm [~arekm@pld-linux/arekm] has joined #openvpn 11:27 < jgspratt> Well, I'll simplify it to only be 10.25.0.0/24 on the east coast for now then. 11:27 < jgspratt> The server can get to all of 10.24/13 11:28 <@EugeneKay> So you have the server push that route to clients. The server itself shouldn't be gtting that route via openvpn, because that's wrong 11:28 < arekm> hi. I wonder what could change between 2.2.2 and 2.3.0 that causes "write UDPv4: Invalid argument (code=22)" with exactly the same config 11:29 <@EugeneKay> If openvpn isn't going to be handling a block, don't tell it about it. 11:30 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 264 seconds] 11:30 < jgspratt> here, I simplified it: http://hastebin.com/damayulotu.vbs 11:30 <@vpnHelper> Title: hastebin (at hastebin.com) 11:31 < jgspratt> That's the server log now, with only 10.25/24 on the server 11:31 < jgspratt> "potential route subnet conflict between local LAN [10.25.1.0/255.255.255.0] and remote VPN [10.25.0.0/255.255.0.0]" 11:31 <@EugeneKay> !configs 11:31 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 11:32 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 11:32 < jgspratt> http://hastebin.com/kavurivaca.hs 11:32 <@vpnHelper> Title: hastebin (at hastebin.com) 11:32 <@EugeneKay> Line 13 is wrong 11:32 <@EugeneKay> That should not exist 11:32 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 11:32 <@EugeneKay> So you have the server push that route to clients. The server itself shouldn't be gtting that route via openvpn, because that's wrong 11:32 < jgspratt> Sorry, I put that in per someone else's request from a while ago. 11:33 <@EugeneKay> If your server has the route via a LAN adapter openvpn will notice the conflict. Which it did. 11:33 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 11:33 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Client Quit] 11:34 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 11:34 < jgspratt> Here is with that line removed: http://hastebin.com/focetuhiku.vbs 11:34 <@vpnHelper> Title: hastebin (at hastebin.com) 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:35 < jgspratt> Same symptoms on client: http://hastebin.com/posuqiresa.hs 11:35 <@vpnHelper> Title: hastebin (at hastebin.com) 11:35 <@EugeneKay> See? No more conflict. Now you get to fix the next problem. 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:35 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:35 -!- _fang0654 [~fang0654@cpe-68-174-236-234.nyc.res.rr.com] has joined #openvpn 11:35 < jgspratt> I didn't have the conflict before I added that line, but they said it wouldn't work without it, so I should add it. 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:36 <@EugeneKay> Whoever said that was wrong 11:36 < jgspratt> But I'm glad we are making progress now! :) 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:36 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Remote host closed the connection] 11:36 <@EugeneKay> This looks like a routing problem now. I'm guessing 10.25.1.101 is the server's LAN address, and .102 is another box on that same LAN? 11:36 <@EugeneKay> And that your server is NOT the default gw for most boxes on that same LAN? 11:36 < arekm> for my problem with Invalid argument 22 here is config, data, logs: http://pastebin.com/qUMLUm9r 11:37 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:37 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:37 < jgspratt> Well, should I be able to go from .102 to 10.0.0.10 if it's as you suspect? 11:37 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:37 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:38 <@EugeneKay> Nope 11:38 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:38 -!- Konigsberg7 [~mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:38 < jgspratt> But I added a route: http://hastebin.com/lamoboweca.vhdl 11:38 <@vpnHelper> Title: hastebin (at hastebin.com) 11:38 <@EugeneKay> On your default GW? OK, so that's good. 11:39 < jgspratt> In my sonicwall: http://hastebin.com/hokocahine.1c 11:39 <@vpnHelper> Title: hastebin (at hastebin.com) 11:39 <@EugeneKay> If pings are working one direction but not the other then it's gonna be a firewall 11:39 < jgspratt> Yeah, which is the default GW 11:39 < _fang0654> Probably a stupid question, but does broadcast traffic get passed over a TAP vpn? 11:39 <@EugeneKay> And I charge $150/hour to debug those 11:40 <@EugeneKay> _fang0654 - Layer2 traffic is passed over TAP, yes. Are you talking about bridging tap0 to eth0? Don't do that. 11:40 -!- Konigsberg7 [mIRC@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:40 -!- Konigsberg7 [mIRC@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:41 < _fang0654> EugeneKay: Ok cool. Just set up a bridge between two tomato routers to be on the same subnet, just wanted to make sure their poorly designed software would work 11:41 <@EugeneKay> Good luck. You'll need it. :-p 11:41 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has quit [Ping timeout: 255 seconds] 11:41 < _fang0654> Seems like it is working. Pretty slow though. Very poorly designed software :) 11:43 < arekm> any clues, things to check? 11:43 <@EugeneKay> arekm - not a clue. 11:44 < jgspratt> EugeneKay: I doubt it. These machines were running this very vpn for over a year. 11:44 <@EugeneKay> But bravo for trying 2.3! 11:44 < arekm> heh, ok, so no point in trying to debug this, downgrading :) 11:45 <@EugeneKay> Plenty of point; it's probably something obvious 11:45 <@EugeneKay> But I have $DAYJOB too 11:45 < arekm> downgraded and works 11:45 <@EugeneKay> A valid solution too 11:46 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 11:46 < arekm> tried to see where "Invalid argument" is comming from via strace but likely it's not from any syscall 11:47 <@EugeneKay> Nah, it'll be an openvpn debug thing 11:47 <@EugeneKay> It's not one I've come across(or can remember) or I'd tell you what it means 11:47 <@EugeneKay> Googling probably isn't much help(I tried) 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:49 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 11:49 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:50 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:51 < arekm> UDPv4 write returned -1 11:51 < arekm> oh 11:51 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn 11:55 < arekm> (2.3 client works fine btw, only server has problems) 11:56 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 11:59 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 11:59 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:03 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 12:03 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 12:03 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:07 -!- valparaiso_ [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 12:08 -!- valparaiso_ is now known as valparaiso 12:09 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:16 <@ecrist> what problem does server have? 12:16 -!- Konigsberg [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has left #openvpn [] 12:17 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:17 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:21 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:26 -!- BtbN [~btbn@btbn.de] has quit [Quit: Bye] 12:27 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Quit: 123asdf] 12:27 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:27 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:29 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:29 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:29 -!- BtbN [~btbn@btbn.de] has joined #openvpn 12:30 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 12:30 -!- Konigsberg7 [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Excess Flood] 12:36 < _fang0654> Any way of having a tap tunnel intercept DHCP and not pass the requests to the other side of the tunnel? 12:37 <@EugeneKay> Yeah, don't use bridging. :-p 12:37 <@EugeneKay> I think you can do that with ebtables/iptables 12:38 -!- MarKsaitis [~MarKsaiti@82-71-61-117.dsl.in-addr.zen.co.uk] has joined #openvpn 12:38 < _fang0654> I'd love to not use bridging, but software only works on same subnet 12:38 -!- ch1mk3y [ch1m@ns203993.ovh.net] has joined #openvpn 12:38 < _fang0654> ok. I'll see if I can get more with my google fu. Mainly just trying to have a different default gateway assigned 12:39 -!- CEnnis91|Cloud [uid3543@gateway/web/irccloud.com/x-pzipuahktqrozmve] has quit [Quit: Connection closed for inactivity] 12:39 < _fang0654> Although it is only a handful of machines. I think I'll just set them up static and be done with it 12:40 < JackWinter> is there a more specific directive than client-client, to only allow select hosts to see each other? 12:40 < _fang0654> JackWinter: You have to do that through iptables on the server 12:41 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Ping timeout: 276 seconds] 12:43 < JackWinter> _fang0654: was afraid of that. does a forward rule cover traffic on the same interface or is it only for forwarding between different interfaces? 12:43 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 12:44 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Read error: Connection reset by peer] 12:44 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 12:44 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 255 seconds] 12:45 <+pekster> JackWinter: Traffic can be forwarded even if it arrives and leaves via the same interface, yes 12:45 -!- ch1mk3y [ch1m@ns203993.ovh.net] has quit [Ping timeout: 248 seconds] 12:46 < _fang0654> JackWinter: Hold on one sec, let me look at how my rules are configured 12:46 -!- ch1mk3y [ch1m@ns203993.ovh.net] has joined #openvpn 12:48 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Ping timeout: 248 seconds] 12:49 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 12:51 <+pekster> _fang0654: I assume you're already ruled out using a tun (Layer 3) VPN setup instead? You actually need subnet broadcast and/or Ethernet frame support across the tunnel? 12:52 < _fang0654> pekster: Yeah, on this one. I seem to have it up and running fine, I'm just going to keep things simple and keep the workstations static 12:54 < _fang0654> JackWinter: Here is an example iptables setup I have for a specific client to only be able to access specific machines - http://pastebin.com/BxjGQFbn 12:58 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 13:00 -!- ch1mk3y [ch1m@ns203993.ovh.net] has quit [Ping timeout: 255 seconds] 13:01 < JackWinter> _fang0654: thanks 13:02 <+pekster> I don't see the point of lines 8-9; you could just DROP the traffic there. Presumably early on in your FORWARD chain you're already accepting the established & related states, so there's no point to doing it there 13:03 -!- ch1mk3y [ch1m@ns203993.ovh.net] has joined #openvpn 13:05 -!- ch1mkey [ch1m@ns203993.ovh.net] has quit [Ping timeout: 252 seconds] 13:08 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 13:13 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 240 seconds] 13:14 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 13:22 < _fang0654> pekster: I had default set to drop. 13:24 -!- BtbN [~btbn@btbn.de] has quit [Read error: Connection reset by peer] 13:25 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 13:25 <+pekster> _fang0654: So? You should be accepting the established/related states early in forward, not for each source address you custom filter 13:25 -!- BtbN [~btbn@btbn.de] has joined #openvpn 13:25 <+pekster> Unless you have some special need, the first rule in any of the builtin chains should probably be -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 13:26 < _fang0654> pekster: Good point. I built the setup years ago, and haven't really touched it since. I think when I get some free time I'll update it 13:27 < _fang0654> pekster: Definitely makes more sense 13:28 <+pekster> It's just less CPU processing the kernel needs to do, becuase those rules are hit for every packet. I could also run around the block every glass of water I pour myself, but I don't ;) 13:29 < _fang0654> lol 13:29 < _fang0654> I'm actually kind of amazed at how well openvpn holds up running a lot of vpns 13:29 -!- jgspratt [~jgspratt@66.162.71.166] has left #openvpn ["PONG :hubbard.freenode.net"] 13:29 < _fang0654> I have a virtual machine running about 50 tunnels without breaking a sweat 13:29 <@dazo> _fang0654: you probably haven't tried a few hundred active tunnels ;-) 13:29 <+pekster> Concurrent processes, yes. It's not multi-threaded, so that surprisees some people with 16-virtual cores or something when they can't leverage them all on a single tunnel 13:29 <@dazo> but 50ish should be really fine 13:30 < _fang0654> dazo: I figure when I hit 64 I'll just set up a new instance 13:30 <+pekster> The solution there is to use multiple backend VPNs and tie them together with some load-balancing at the front; if you set something like that up right, it's mostly transparent to frontend users 13:30 < _fang0654> pekster: Makes sense.. especially since I only gave it a core :) 13:31 < _fang0654> pekster: It is mainly our clients, who for the most part aren't dealing with each other, so it doesn't matter if we split it up 13:31 <@dazo> _fang0654: you can easily run more openvpn servers on different ports on the same box ... and then pin them to different CPU cores ... but I would easily raise the bar to 100 simultaneous and active clients 13:32 < _fang0654> dazo: To be honest, I was a bit shortsighted when I first set it up. I'm going to run out of IPs before then and have to set up another server anyways :) 13:32 <@dazo> nah ... just reconfigure the VPN subnet ... that should be enough, or not? 13:33 < _fang0654> I'd have to do it late at night, since I can't keep it down for very long 13:34 <@dazo> fair enough 13:34 < _fang0654> I tried it once, ran into a couple of snags, backed out and shelved it to be handled at some later point 13:35 < _fang0654> Well, now I have to call the cable company to up the upstream bandwidth at this office. Apparently it's only 2Mbit up, which is killing their software 13:35 < _fang0654> thanks for the advice! 13:36 <@dazo> well, I'd set up a clone VM of my prod environment, rename it to 'testing' ... and do all the needed testing there ... and copy the config files 13:36 -!- _fang0654 [~fang0654@cpe-68-174-236-234.nyc.res.rr.com] has quit [Quit: Leaving] 13:38 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 13:38 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:40 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 13:41 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 13:48 -!- b00b [~freenode@46.166.178.155] has quit [Quit: ZNC - http://znc.in] 13:52 -!- Typo1 [~raul@63-234-144-202.dia.static.qwest.net] has joined #openvpn 13:55 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 14:05 -!- dazo is now known as dazo_afk 14:09 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 265 seconds] 14:10 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 14:13 -!- MarKsaitis [~MarKsaiti@82-71-61-117.dsl.in-addr.zen.co.uk] has quit [Ping timeout: 276 seconds] 14:18 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 14:21 -!- Suterusu1 [~EyeR@178.63.199.61] has quit [Ping timeout: 260 seconds] 14:25 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 14:26 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 14:26 -!- Devastator [~devas@177.18.197.67] has quit [Changing host] 14:26 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 14:31 -!- CEnnis91|Cloud [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has joined #openvpn 14:34 -!- CEnnis91|Cloud is now known as CEnnis91 14:34 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has quit [Changing host] 14:34 -!- CEnnis91 [uid3543@unaffiliated/cennis91] has joined #openvpn 14:34 -!- CEnnis91 [uid3543@unaffiliated/cennis91] has quit [Changing host] 14:34 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has joined #openvpn 14:37 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:49 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 14:58 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 15:10 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 15:15 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 15:20 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 260 seconds] 15:21 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 15:21 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has quit [Quit: valparaiso] 15:28 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 15:45 < CrashTM> anyone home? 15:49 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via] 15:51 -!- Typo1 [~raul@63-234-144-202.dia.static.qwest.net] has quit [Quit: Leaving.] 15:53 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:01 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 16:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 16:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 246 seconds] 16:15 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:16 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has joined #openvpn 16:17 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 16:25 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 16:27 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 16:30 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:37 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 16:52 -!- Crosshair84 [~Crosshair@nat.crossfone.com.ar] has joined #openvpn 16:52 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 255 seconds] 16:52 -!- fu_fu is now known as desmo 16:52 < Crosshair84> hello I'm a new user and im looking for help 16:52 -!- bjh4_ [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 16:53 < desmo> crashTM what's up 16:55 < CrashTM> desmo, im having trouble setting up a openvpn server on my vz based ubuntu vps 16:55 < desmo> whats the trouble? 16:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:56 <+pekster> OpenVZ isn't going to give you direct control over tun devices like you expect 16:56 <+pekster> Try a real shell ;) 16:56 < CrashTM> Well at first it was that tun/tap was not enabled but i got that fixed, now it tells me that the ip_tables module is not found when i try to configure it 16:57 <+pekster> !openvz 16:57 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg Xen. 16:57 -!- desmo is now known as fu_fu 16:57 < CrashTM> so i contacted the host, they said that it was also enabled and running for other clients 16:57 <+pekster> Or: 16:57 <+pekster> !openvzlinnat 16:57 <@vpnHelper> "openvzlinnat" is since openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination 16:57 <+pekster> !openvznat 16:57 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s / -o eth -j SNAT --to 16:57 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds] 16:57 <+pekster> There's some reading for you CrashTM. I'd strongly suggest using a VM provider not based on OpenVZ if you want to do OpenVPN tasks 16:58 <+pekster> VZ isn't real virtualization; it's just a glorified chroot 17:00 < dioz> that isn't entirely accurate 17:00 < dioz> but a good generalization from my experience as well 17:00 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 17:00 -!- mode/#openvpn [+o dazo_afk] by ChanServ 17:00 -!- dazo_afk is now known as dazo 17:00 <+pekster> Well, it's got some fancy PID remapping and process magic going on, but it's basically just a chroot with a few bow-ties on top :P 17:01 <+pekster> It's a cool project, just not from OpenVPN's prespective... 17:01 < dioz> true 17:01 < dioz> xen hvm or kvm is what i'd suggest 17:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 17:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:12 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 17:13 < CrashTM> well there is not many cheap kvm vps's 17:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 256 seconds] 17:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:16 -!- bjh4_ [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Quit: Leaving] 17:17 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 17:18 -!- neverme [neverme@201.80.7.30] has joined #openvpn 17:19 < neverme> hi, in order to have multiple outbound ips with openvpn do I need to make several servers or is it possible make 1 and define which outbound ip a given client will use ? 17:20 <+rob0> You asked that yesterday and quit before I could answer. 17:21 <+rob0> And the answer is, 17:21 <+rob0> !notovpn 17:21 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:21 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 264 seconds] 17:21 <+rob0> For example, if Linux, it could be a matter of per-client SNAT rules. 17:23 <+rob0> Or, another choice, which should work in any OS, would be CCD files with ifconfig per client to directly use those IP addresses for the tunnel, and then proxy ARP. 17:24 < neverme> rob0 yes I was short on time thx 17:25 < neverme> I see, so rather then doing a network snat source I would do a targeted snat from client to ip I want to use ? 17:26 < neverme> I will give it a try thanks again rob0 17:26 <+pekster> That's one solution, yes. OpenVPN doesn't care what you do with a packet once it gets passed to the host OS 17:27 <+rob0> I would do the direct bind and proxy ARP approach. I hate NAT. 17:28 <+pekster> As soon as I get more than a single public IP presense, I'll hate NAT too :D 17:28 < neverme> rob0 would you have to have a link to a guide on doing that ? I am familiar doing it on SNAT but that done that way 17:28 <+rob0> Once again, it varies by OS, and the only one I know is Linux. 17:28 < neverme> well I just need to assign different ips to 6 clients and I don't think it will increase 17:29 < neverme> well the server is on centos and the clients are windows xp 17:29 <+rob0> and I did post a proxy ARP solution on the mailing list once 17:29 < neverme> thanks I will look for that 17:30 <+rob0> it was Linux on both ends, but at least the server end would be applicable 17:32 < neverme> well worst case I will just use it with snat which I am familiar with but I will give it a try with ARP and see how different it is 17:33 < neverme> from what you said above it seems easier to manage with ARP 17:33 <+rob0> I think it is. 17:34 <+rob0> Use "rob0 openvpn static ip at home", should find it. I gtg, bbl. 17:34 <+rob0> (search terms) 17:34 < neverme> cool thanks 17:34 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 17:36 -!- Burken [~Burken@78-69-27-5-no194.tbcn.telia.com] has joined #openvpn 17:36 -!- Burken [~Burken@78-69-27-5-no194.tbcn.telia.com] has left #openvpn [] 17:36 < neverme> found it on the mailing list thanks a lot rob0 17:41 -!- neverme [neverme@201.80.7.30] has quit [Quit: Leaving] 17:44 < CrashTM> root@35948:~# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 17:44 < CrashTM> WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. 17:44 < CrashTM> FATAL: Module ip_tables not found. 17:44 < CrashTM> iptables v1.4.4: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) 17:44 < CrashTM> Perhaps iptables or your kernel needs to be upgraded. 17:45 < CrashTM> any ideas with this 17:46 <+pekster> The system you're on doesn't provide (or expose, as may be the case with OpenVZ) the required kernel modules. netfilter does not work without access to the relevant kernel modules 17:47 < CrashTM> any idea on how to "expose" those modules 17:47 <+pekster> No clue; I'm not familiar with OpenVZ beyond a high-level understanding of how it works (in fact, that's why I choose to not be more familiar with it) 17:48 <+pekster> The reading material I had the bot paste from earlier had some wiki links to OpenVZ's site, if that's useful 17:56 < CrashTM> ok, well can you reccomend a cheap vps host? 17:59 <+pekster> AWS gives you a year free if you're a new customer and stay within the "Free Tier" usage limits 17:59 < CrashTM> AWS? 17:59 <+pekster> You can run 1 VM 24/7 with that 17:59 < CrashTM> does it work with openvpn 17:59 <+pekster> http://aws.amazon.com/free/ 17:59 <@vpnHelper> Title: AWS Free Usage Tier (at aws.amazon.com) 18:00 <+pekster> Yes, of course; it's a xen-based virtualization platform 18:00 <+pekster> Drop in a pre-existing VM for the Ubuntu Server (the free community eddition AMI) and install/configure openvpn 18:01 <+pekster> Just be sure you understand the free tier limits, because they'll bill you a-la cart if you exceed the tier limits (and after your free year you pay metered as you would normally) 18:03 < CrashTM> im reading about the free teir but i dont understand most of it lol 18:03 < Crosshair84> hi, I have a problem with de openvpnAS 18:03 < Crosshair84> can you help me? 18:04 <+pekster> !as 18:04 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 18:04 < Crosshair84> yes 18:04 < Crosshair84> but nothin there 18:04 <+pekster> This channel is for the open-source OpenVPN codebase, no the commercial product 18:04 <+pekster> You will not find help with AS here, only OpenVPN 18:05 <+pekster> The commercial side is separate and has their own support structure (they are a company with paid employees. This is a free community channel with voulenteer help) 18:05 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 18:07 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 18:14 < dioz> can i bridge a virtual interface? 18:14 < dioz> ether0:0 ? 18:14 < dioz> eth0:0 i mean 18:21 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Peace] 18:28 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Read error: Operation timed out] 18:31 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 18:44 < Suterusu> I think thats how mines workin - But don't qoute me on tht 18:47 -!- joshie [~josh@joshie.net] has quit [Remote host closed the connection] 18:48 -!- joshie [~josh@joshie.net] has joined #openvpn 18:48 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 18:50 < dioz> i think i'm just gonna make the bridge in the /etc/network/interfaces 18:50 < dioz> so it's started on boot 18:51 < dioz> need to make sure i can get into this beast in a different wayt ho 18:51 < dioz> incase i lock myself out 18:51 < dioz> doubt i will 18:51 < dioz> but i just wanna make sure 18:52 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 18:54 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 18:56 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 19:07 <+pekster> dioz: The alias is just a secondary IP on the same device; I don't believe you can treat them separatly from an L2 perspective 19:08 <+pekster> The newer iproute2 utilities don't even show them like that anymore; they just list all the inet addresses assigned to an adapter (either a device or a VLAN; the VLAN is treated as a unique device to the kernel) 19:10 < dioz> well i have a VPS with two ip addresses 19:10 < dioz> i wanted to route one of the ips to a VM i have on a box in a different geogaphical location 19:10 <+pekster> That's doable with policy routing 19:11 < dioz> gonna make the tap0 interface bridge with the eth0 19:11 < dioz> and give the tap0 the second ip 19:12 < dioz> so i don't even need the second virtual interface 19:12 < dioz> can't remember the solusvm login to this vps tho 19:12 < dioz> incase i do something dumb and need serial access 19:12 < dioz> can't find the e-mail in my inbox 19:13 <+pekster> ifconfig is the old way in Linux. 'ip addr' is preferred 19:13 < dioz> yaeh 19:13 < dioz> this is how it was setup from scratch in the /etc/network/interfaces 19:13 < dioz> eth0 and eth0:0 19:13 <+pekster> Oh, yea. I try to avoid such distros when I can ;) 19:18 < thumbs> slackware has ip as well, dioz 19:18 < dioz> huh? 19:19 <+pekster> Anything modern has the ip command; their network config files still tend to use outdated syntax so it never has to change ;) 19:20 < dioz> yaeh i didn't set this interfaces file up the way it is 19:20 < dioz> i'd be using ip if it was me 19:24 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 19:38 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 19:47 -!- ch1mk3y [ch1m@ns203993.ovh.net] has left #openvpn [] 19:55 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 19:59 -!- gojafe [~rasengan@eyearesee.com] has quit [Quit: Lost terminal] 20:01 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 20:12 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 20:19 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 20:30 <+dvl> in openvpn, can I add a 'route 10.4.0.0 255.255.255.0', for example, to my *client* config if the server is not already pushing it? 20:31 <+dvl> ^ from another network 20:35 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds] 20:35 <+pekster> dvl: Sure, the client can do that. The server still needs to route it, of course, but that's not internal to OpenVPN at that point 20:42 -!- Crosshair84 [~Crosshair@nat.crossfone.com.ar] has quit [] 21:23 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 21:35 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 22:05 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 22:05 < fu_fu> hello 22:07 < fu_fu> i need a bit of help, i upgraded my windows terminal server 2008_r2 to the new version, as well as the AD server, now there is some problem logging in to the TS 22:08 < fu_fu> are there some added auth communications in the new version? 22:08 < fu_fu> i can login as administrator but login to the domain is stopped 22:17 < pppingme> fu_fu do you have ts licenses installed? 22:19 < fu_fu> ya, and license server should be fine 22:20 < fu_fu> i rebooted the servers so they would be sure to get their drivers in order, still waiting 22:20 < pppingme> did it break after you updated the OS, or after you upped it to an AD server? or did you test in between steps??? 22:20 < fu_fu> waiting for them to come back up 22:20 < fu_fu> sorry, confusion. 22:21 < fu_fu> u just updated the OVPN to 2.3 and added two TAPs 22:21 < fu_fu> *I 22:23 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 22:26 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 22:28 < fu_fu> i think there may be a problem with my identifying the TAP ID, is it just the name or the ID string used in the config file? 22:29 <+pekster> Not normally, although IIRC you can provide the CLSID of the network adapter in your config file if you want (that's uncommon to do in practice) 22:29 <+pekster> You don't know how your own host is configured? 22:30 < fu_fu> i just added the other adapters and did not need the "dev node "line 22:32 <+pekster> I don't understand why logging into a service is a problem of OpenVPN? 22:32 <+pekster> What does RDP have to do with OpenVPN? 22:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds] 22:36 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Remote host closed the connection] 22:38 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 22:40 < fu_fu> i was just asking if the new revision had any additional traffic allowed over the tunnel 22:41 < fu_fu> it seems to work after i disable the additional TAPs so it must be something in that 22:41 < fu_fu> the RDP connection authenticates to a domain server at the other end of a client tunnel 22:43 <+pekster> "had any additional traffic allowed over the tunnel" <-- what does that mean? 22:46 <+pekster> I mean, 2.3 support IPv6 across the link, and perhaps that's "additional traffic", but I can't really figure out what you're asking 22:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 22:46 < fu_fu> i could authenticate before i added the TAP interfaces and upgraded 22:47 <+pekster> So the next logical question: is the VPN even up? 22:49 < fu_fu> yes, i have clients connected and pinging 22:50 < fu_fu> i think i found it, the TAP ints seem to be cleared of dns info and windows uses that for auth mapping 22:50 < fu_fu> yup, that did it 22:51 < fu_fu> driver overwrite is all, thanks 22:55 < fu_fu> so what is the standard way to find the ID of the NIC on windows? e.g. "dev node TAP0" < No. Use the display name or CLSID (see openvpn.exe --show-adapters to get that list) 23:03 <+pekster> Usually "Local Area Connection X" but you can rename the device. Techncially you could call it 'tap0' if you wanted ;) 23:06 < fu_fu> yes, that is what i did exactly, i dont really use windows all that much so i dont know clsid but thank you for elaborating, i was thinking it might be that (987213002319788123400-812347) type of ID 23:07 <+pekster> Yes 23:08 < fu_fu> cool, well gnight folks, thanks for being here 23:08 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds] 23:42 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 23:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn --- Day changed Thu Jan 10 2013 00:05 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 00:12 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 00:14 -!- Friberg [~Friberg@h-223-133.a176.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 00:14 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 00:14 -!- Friberg [~Friberg@h-223-133.a176.priv.bahnhof.se] has joined #openvpn 00:14 -!- oskie [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 00:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds] 00:33 -!- ngharo_ [~ngharo@2001:1af8:4400:a049::] has joined #openvpn 00:35 -!- ngharo [~ngharo@2001:1af8:4400:a049:1:2:3:4] has quit [Quit: Reconnecting] 00:35 -!- ngharo_ is now known as ngharo 00:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 01:26 -!- cosmicgate- [~cosmicgat@113.210.99.83] has joined #openvpn 01:28 -!- krzee [nobody@hemp.ircpimps.org] has joined #openvpn 01:28 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host] 01:28 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 01:28 -!- mode/#openvpn [+o krzee] by ChanServ 01:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds] 01:42 -!- cosmicgate-- [~cosmicgat@198.147.22.172] has joined #openvpn 01:44 -!- cosmicgate- [~cosmicgat@113.210.99.83] has quit [Ping timeout: 265 seconds] 01:45 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 01:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 02:03 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 02:05 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:05 -!- Azrael808 [~peter@212.161.9.162] has quit [Remote host closed the connection] 02:15 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 02:23 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 02:23 -!- Devastator- [~devas@177.18.197.67] has joined #openvpn 02:24 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 02:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds] 02:37 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 02:40 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 02:45 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 03:00 -!- cosmicgate-- [~cosmicgat@198.147.22.172] has quit [Ping timeout: 255 seconds] 03:06 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has joined #openvpn 03:06 -!- ade_b [~Ade@109.58.166.181.bredband.tre.se] has quit [Changing host] 03:06 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:22 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 240 seconds] 03:31 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 252 seconds] 03:34 -!- defswork [~andy@141.0.50.105] has joined #openvpn 03:38 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 03:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 03:51 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 03:51 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 03:58 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 03:58 < Assid> heya 04:02 -!- Devastator- [~devas@177.18.197.67] has quit [Changing host] 04:02 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 04:02 -!- Devastator- is now known as Devastator 04:05 < Assid> okay so heres something weird.. i have a windows main server.. which has 2 virtual machines .. both which have a public internet ip address.. and are reachable fine.. 1 of which has openvpn working.. perfectly and i can reach it from a static ip (vpn) address.. the other i am unable to . I cant even ping the vpn gateway or from gateway to client either. 04:06 < Assid> i tried with a disabled firewall.. creating the same rules as the other windows box.. nothing works 04:13 <+pekster> Sounds like there's a difference in configuration between the VMs, or maybe between how the host treats them? 04:13 <+pekster> Clearly something has to be different 04:13 < Assid> pekster: cant find anything thats off... 04:14 < Assid> pekster: can i show you on ammy admin / teamviewer what i mean? 04:14 < Assid> maybe i need a fresh pair or eyeballs on this 04:15 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 04:18 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has joined #openvpn 04:21 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 04:21 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 04:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds] 04:37 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has quit [Ping timeout: 256 seconds] 04:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 04:50 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 04:52 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:57 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 04:57 -!- genghi [~Adium@p50899732.dip.t-dialin.net] has joined #openvpn 05:09 < genghi> hi… is there a recommended way to have openvpn apply some sort of firewall rules to clients? For example, can we enforce that a connected client can only reach 192.168.0.5 and not 192.1680.6 on the server network side? 05:14 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-glexqzbkdqwtzqzv] has quit [Ping timeout: 256 seconds] 05:15 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-uxbspexqfkwdnydz] has joined #openvpn 05:22 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 05:23 -!- Assid [~kvirc@unaffiliated/assid] has quit [Ping timeout: 244 seconds] 05:28 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 05:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds] 05:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 05:52 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 05:53 < dropje> genghi: take a look at --learn-address 05:54 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 06:01 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:01 -!- brute11k [~brute11k@89.249.235.33] has quit [Ping timeout: 240 seconds] 06:01 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Remote host closed the connection] 06:01 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 06:03 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 06:07 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 06:10 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 265 seconds] 06:12 < genghi> dropje: thanks.. will do 06:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 244 seconds] 06:40 -!- cosmicgate- [~cosmicgat@198.147.22.172] has joined #openvpn 06:41 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 06:45 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 06:45 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 06:47 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 06:54 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 06:56 -!- cosmicgate- is now known as cosmicgate 07:09 < thermoman> let's assume i have 2 vpn servers and some but not all users have to have access to both, others only to one of them 07:10 < thermoman> is it easily manageable that a client-cert for e.g. an admin is accepted at both vpn servers but a client-cert for e.g. a normal user only on one? 07:10 < thermoman> sure i can create a self signed CA etc etc for each server so the admin user ends up with 2 key/crl pairs 07:11 < thermoman> but if this can easily be managed with only one key/crl pair this would be really cool 07:14 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 07:24 < plaisthos> thermoman: You could use an intermediate ca 07:25 < plaisthos> or add x509 attributes in the certs whihc you check by a script 07:26 < thermoman> you mean with intermediate ca normal users get their cert signed by the intermediate CA and admins get their cert signed by the root CA? 07:27 < thermoman> /normal users get their cert signed by one of the intermediate CAs/ 07:28 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:28 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 07:29 < thermoman> plaisthos: ^ 07:30 <@ecrist> thermoman: you can use multiple CAs for a single instance of OpenVPN 07:31 <@ecrist> so, you sign admin certs with one CA, user certs with another 07:31 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 07:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds] 07:32 < thermoman> sounds complicated 07:33 < thermoman> :) 07:43 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 07:45 -!- cosmicgate [~cosmicgat@198.147.22.172] has quit [Ping timeout: 256 seconds] 07:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 07:49 -!- MarKsaitis [~MarKsaiti@85-189-231-117.v.managedbroadband.co.uk] has joined #openvpn 08:10 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 08:16 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 08:21 -!- MarKsaitis [~MarKsaiti@85-189-231-117.v.managedbroadband.co.uk] has quit [Ping timeout: 248 seconds] 08:23 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 08:29 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has joined #openvpn 08:29 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has quit [Changing host] 08:29 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:31 -!- mattock is now known as mattock_afk 08:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 256 seconds] 08:34 -!- mattock_afk is now known as mattock 08:35 -!- genghi [~Adium@p50899732.dip.t-dialin.net] has quit [Read error: Connection reset by peer] 08:46 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 08:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 09:02 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 09:15 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 09:21 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 09:29 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has joined #openvpn 09:31 < thermoman> mhh, i can connect to my openvpn 2.1.3 server from windows vista with openvpn-2.3.0 - connection is fine but no traffic goes over the tunnel 09:31 < thermoman> is there something special with windows vista? 09:31 < thermoman> from linux it works 09:31 < thermoman> i can't even ping the remove end of the tunnel 09:31 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 09:32 < thermoman> windows gives inactivity timeout 09:32 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:33 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 09:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds] 09:35 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 09:41 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has joined #openvpn 09:41 -!- ade_b [~Ade@109.58.126.90.bredband.tre.se] has quit [Changing host] 09:41 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:44 -!- Devastator [~devas@177.18.197.67] has quit [Ping timeout: 252 seconds] 09:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 09:48 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 09:50 < defswork> is there a mac osx openvpn ui client that supports management interface user authentication ? 09:53 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 256 seconds] 10:02 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:06 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 10:16 -!- Devastator [~devas@177.18.197.67] has quit [] 10:19 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 10:22 -!- master_of_master [~master_of@p57B54741.dip.t-dialin.net] has quit [Ping timeout: 265 seconds] 10:23 -!- master_of_master [~master_of@p57B52A2D.dip.t-dialin.net] has joined #openvpn 10:24 -!- Devastator [~devas@unaffiliated/devastator] has left #openvpn [] 10:24 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 10:25 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 10:27 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit] 10:29 -!- glc_ [~gclark@adsl-99-63-81-249.dsl.chcgil.sbcglobal.net] has joined #openvpn 10:31 -!- glc_ [~gclark@adsl-99-63-81-249.dsl.chcgil.sbcglobal.net] has left #openvpn ["Leaving"] 10:31 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 10:32 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 260 seconds] 10:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds] 10:40 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 10:44 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 10:45 -!- Radex [br@debian.pl] has joined #openvpn 10:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 10:47 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 248 seconds] 10:56 -!- Devastator [~devas@177.18.197.67] has joined #openvpn 10:56 -!- Devastator [~devas@177.18.197.67] has quit [Changing host] 10:56 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 10:57 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 10:59 < thermoman> which question: vpn servers public IP is 1.2.3.4/24 and the vpn server pushes the route 1.2.3.0/24 to the client. 10:59 < thermoman> this works on linux because it sets a host-route to the default gateway 10:59 < thermoman> but not on linux 11:00 < thermoman> can i force windows to set a host-route to it's default-gw so the vpn server is still reachable over public internet where 1.2.3.0/24 is going over the tunnel? 11:01 < thermoman> . 11:01 < thermoman> found it: http://blog.spamt.net/archives/2006/11/02/mit_openvpn_eine_hostroute_auf_den_client_pushen/index.html 11:02 <@vpnHelper> Title: Mit openvpn eine hostroute auf den Client pushen | Stolzer DNS Spammer (at blog.spamt.net) 11:06 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 11:17 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 11:33 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 11:33 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds] 11:40 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 11:40 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 11:46 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:46 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:46 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 11:49 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:54 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 11:57 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 12:00 -!- ronsel [~ronsel@dslb-088-074-167-187.pools.arcor-ip.net] has quit [Quit: Dieser Computer ist eingeschlafen] 12:01 -!- Netsplit *.net <-> *.split quits: ade_b 12:02 -!- Netsplit *.net <-> *.split quits: js_, colo-work, cherwin, videl, pnielsen, @novaflash, [Xaronic] 12:02 -!- Netsplit over, joins: cherwin, js_, videl, pnielsen 12:02 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has joined #openvpn 12:02 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 12:02 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 12:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:02 -!- Netsplit over, joins: [Xaronic] 12:02 -!- Netsplit over, joins: colo-work 12:08 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has joined #openvpn 12:10 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 12:13 -!- raidz is now known as raidz_away 12:15 -!- exed_ [~maximus@host-88-217-184-122.customer.m-online.net] has joined #openvpn 12:17 -!- raidz_away is now known as raidz 12:18 -!- exed [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 276 seconds] 12:19 -!- raidz is now known as raidz_away 12:20 -!- exed_ [~maximus@host-88-217-184-122.customer.m-online.net] has quit [Ping timeout: 248 seconds] 12:21 -!- thermoman [~thermoman@idle.foobar0815.de] has left #openvpn [""Wenn der Rechner versteckt ist, kann er von Hackern auch nicht gefunden werden." Antje Weber, Symantec"] 12:21 -!- raidz_away is now known as raidz 12:26 -!- raidz is now known as raidz_away 12:32 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds] 12:34 -!- Suterusu1 [~EyeR@host81-156-138-35.range81-156.btcentralplus.com] has quit [Ping timeout: 264 seconds] 12:45 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds] 12:48 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 13:00 -!- raidz_away is now known as raidz 13:08 -!- noize91_ [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has joined #openvpn 13:16 -!- noize91_ [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has quit [Remote host closed the connection] 13:16 -!- noize91 [~noize91@046-220-005-168.dyn.orange.at] has joined #openvpn 13:22 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 13:24 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 13:26 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has joined #openvpn 13:29 -!- noize91_ [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has joined #openvpn 13:29 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 13:31 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has quit [Ping timeout: 248 seconds] 13:31 -!- mattock is now known as mattock_afk 13:33 -!- noize91 [~noize91@046-220-005-168.dyn.orange.at] has quit [Ping timeout: 264 seconds] 13:33 -!- noize91_ is now known as noize91 13:35 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 13:40 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has joined #openvpn 13:41 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:41 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has quit [Client Quit] 13:43 -!- noize91 [~noize91@83-65-220-227.hallein.xdsl-line.inode.at] has quit [Ping timeout: 246 seconds] 13:43 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:43 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Max SendQ exceeded] 13:44 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:44 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Max SendQ exceeded] 13:45 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:45 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 13:46 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:46 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Max SendQ exceeded] 13:47 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:51 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 264 seconds] 13:57 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 13:57 < CrashTM> hey people 13:57 < CrashTM> anyone home? 13:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 264 seconds] 14:00 < kunji> There are 163 people in the room, I'm attempting my first install of OpenVPN right now, so I probably can't answer your question, but just post it, don't ask to ask ^_^ 14:07 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:10 <@dazo> kunji++ :) 14:10 <@dazo> !ask 14:11 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 14:11 <@dazo> CrashTM: ^^^ 14:11 < CrashTM> well 14:11 < CrashTM> i got my server running 14:11 < CrashTM> i'm able to connect to it yet my traffic is not routed through my vpn 14:13 < CrashTM> anyone? 14:13 <@ecrist> kunji++ 14:14 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 14:15 < CrashTM> >.> 14:20 <@krzee> kunji++ 14:20 <@krzee> 3 karma points for a well placed statement! 14:21 * krzee high 5's kunji 14:21 <@krzee> CrashTM, 14:21 <@krzee> !redirect 14:21 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 14:21 <@vpnHelper> http://ircpimps.org/redirect.png 14:26 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 14:26 < wh1p> crashtm :? 14:26 < CrashTM> ok 14:26 < CrashTM> it is a dns problem 14:26 < CrashTM> i CAN ping 8.8.8.8 but i cannot ping google.com 14:27 <@krzee> well there ya go 14:27 <@krzee> glad to help =] 14:27 * krzee loves those flowcharts! 14:31 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 14:31 <@ecrist> krzee: you should consider rewriting them in graphiz or something editable 14:32 <@ecrist> because the ARE epic 14:32 <@krzee> thanks, not a bad idea… it'll have to wait til after my travels though 14:32 <@krzee> im in vegas right now, headed to all of california 14:32 <@ecrist> nice 14:32 <@krzee> testing 4 different wifi hotspots with my darknet voip service 14:33 <@ecrist> nice 14:33 <@ecrist> how's that project going? 14:33 <@krzee> fantastic 14:33 <@krzee> so far verizon is the best in vegas, but t-mobile is a near second 14:35 <@ecrist> non-LTE, and moving, tmo is best, imho 14:35 <@krzee> i suspect it will vary from area to area, which is why i bought 4 14:35 < kunji> Wow, thanks for the karma, first time that's happened to me on IRC ^_^, small question here, in the sample server.conf files is the function of ";" the same as of "#", that is, is it for a commented line? 14:36 <@krzee> kunji, yes 14:36 < kunji> krzee: cool, thanks 14:36 <@krzee> np 14:36 < CrashTM> thanks 14:36 <@ecrist> kunji: those are all standard comment delimiters 14:36 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Leaving] 14:37 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 248 seconds] 14:51 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Read error: Connection reset by peer] 14:51 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 14:51 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has joined #openvpn 14:53 -!- swat [~swat@ubuntu/member/swat] has quit [Ping timeout: 245 seconds] 15:05 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 15:06 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 15:11 -!- krzee [nobody@openvpn/community/support/krzee] has left #openvpn ["Leaving"] 15:20 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 244 seconds] 15:22 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 15:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 15:30 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 15:43 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:52 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:05 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 16:11 -!- MarKsaitis [~MarKsaiti@cpc4-rdng22-2-0-cust932.15-3.cable.virginmedia.com] has quit [Quit: Leaving] 16:14 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 16:14 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has joined #openvpn 16:19 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:24 -!- B4ub [~b4ub@178.73.210.252] has joined #openvpn 16:25 -!- dazo is now known as dazo_afk 16:26 < B4ub> Ohai everybody ! 16:27 < B4ub> I'm using the 443 port (1194 is blocked), but the traffic is completely jammed on this port, which port do you think I can use ? 16:33 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 16:35 < moore1> please i need help on this, i have openvpn server but my clients keeping on getting the same ip from it even after disconnecting and connecting back again 16:35 < moore1> what actually am i missing out to include ? 16:43 -!- B4ub [~b4ub@178.73.210.252] has quit [Remote host closed the connection] 16:46 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has joined #openvpn 16:47 -!- exed [~maximus@ppp-88-217-68-147.dynamic.mnet-online.de] has quit [Client Quit] 16:47 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 264 seconds] 16:48 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.225.wb.wifirst.net] has quit [Ping timeout: 264 seconds] 16:50 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 17:02 -!- Suterusu [~EyeR@unaffiliated/suterusu] has joined #openvpn 17:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 246 seconds] 17:14 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:15 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Excess Flood] 17:18 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 17:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 17:20 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 17:24 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 17:27 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 17:30 -!- moore1 [~moore@50.7.199.107] has quit [Ping timeout: 265 seconds] 17:31 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 17:32 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:32 -!- moore1 [~moore@vs749.rosehosting.com] has joined #openvpn 17:59 -!- moore1 [~moore@vs749.rosehosting.com] has quit [Ping timeout: 248 seconds] 18:00 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 18:20 -!- moore1 [~moore@50.7.199.107] has quit [Ping timeout: 245 seconds] 18:23 -!- k1ng [~k1ng@unaffiliated/k1ng] has quit [Read error: Connection reset by peer] 18:30 -!- k1ng [~k1ng@unaffiliated/k1ng] has joined #openvpn 18:35 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Quit: leaving] 18:37 -!- raidz is now known as raidz_away 18:42 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Read error: Operation timed out] 18:43 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 18:46 -!- raidz_away is now known as raidz 19:13 < kunji> moore1: Aren't they supposed to get the same ips? Unless you have an extremely short DHCP lease time. That's all I know about it though, I'm not even sure what OpenVPN uses to handle DHCP, let alone where/if you could change the lease time. 19:15 < kunji> Is there an easy way to check that OpenVPN is working correctly if I'm connecting from inside my network? It seems to be working, but I was hoping I could verify it for sure without having to go anywhere :P 19:15 <+pekster> (s)he is gone 19:17 < kunji> pekster: Yeah, whoops, I glanced through and saw a leave and came back, didn't notice the second leaving. 19:26 -!- raidz is now known as raidz_away 19:43 < kunji> Hmm, so I'm trying to send all traffic over the vpn connection. I have set push "redirect-gateway local def1 bypass-dhcp" on the server side, but it seems like my traffic isn't passing through the server. At least I don't see any spike in network traffic when watching the system monitor, even when downloading 720p video on Youtube, not really sure where to go from here. 19:46 <+pekster> If you're doing it from inside your network, that's expected behaviour because you still have a link-local route 19:47 < kunji> pekster: Oh, I guess I was thinking that's what the local bit was for, so I guess I'll just need to wait until I actually go elsewhere to try this. 19:47 <+pekster> The redirect-gateway impacts sources you don't have a route for, not local stuff (which alwyas prefers your locally-connected route) 19:48 <+pekster> s/sources/destinations/ 19:48 < kunji> pekster: Can I change that on the client side then? 19:48 <+pekster> Change what? 19:49 < kunji> pekster: For it to route everything through the vpn, Ubuntu used to do this, maybe still does, but I'm trying with a windows client right now and frankly windows and I don't play nice together with this kind of stuff. 19:50 <+pekster> The redirect-gateway OpenVPN option does the same thing on both OSs 19:51 < kunji> pekster: Right, I was asking if there was something else I could do to make it happen, maybe changing the local routing table? 19:52 <+pekster> What do you mean "make it happen" ? If you pass that parameter, it is working. When the client & server are on the same network, it proably won't do what you expect (at least without ugly NAT tricks) becuase the LAN's default gateway (the real gateway) will just send the return traffic directly back to the client 19:53 <+pekster> Unless you have errors in your log file about failed route commands, the redirect-gateway is doing exactly what it's supposed to 19:58 < kunji> pekster: I'm not saying that it isn't doing what it's supposed to, just that what it's supposed to do isn't what I was hoping to have happen. I want all of my traffic to pass through the vpn, not necessarily when I'm on the same network as now, but at least for when I'm on a different network. I just need it so that when I'm not on my network, that ALL traffic passes through the vpn, I can't have it being ambiguous whether or not my traf 20:00 <+pekster> Okay, you obvoiusly can't have "all" traffic, since the VPN traffic (the encrypted packets) need to go to the VPN server. And anything on a link-local network won't get redirected either, since that's a smaller (ie: more specific route.) However, eveyrthing else will be, as long as the VPN is up. Once it goes down, packets instantly go back to their usual paths 20:00 <+pekster> If any of those exceptions are problems for your setup, I'd suggest using a firewall to suplement the VPN operation to gaurentee expected operation 20:06 < kunji> pekster: Hmm, so you're saying that it does work as I expected so long as I am not on the local network and the VPN is up? Well, it shouldn't be hard to verify once I go get on a different network. The description originally sounded more complete than that, even stating the caveat that if your DHCP lease expires you could lose your connection because even the DHCP requests would be routed over the VPN. I would have thought that the DHCP 20:09 <+pekster> Being on the local network merely impacts the route reply traffic takes, *unless* you are perform source-NAT on packets from VPN clients flowing through the server 20:10 <+pekster> Externally, you need to NAT traffic since you're presumably using private IPs 20:11 <+pekster> !redirect 20:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 20:11 <@vpnHelper> http://ircpimps.org/redirect.png 20:11 <+pekster> kunji: There's a handy explanation and flowchart for you to follow 20:13 < kunji> pekster: you mean the vpn server's public ip, right? So the ip my modem receives... which is indistinguishable for me right now because I am on the local network. But like I was saying it will be easy to check later once I'm on a different network. 20:14 < kunji> pekster: interesting though I have not enabled ip forwarding, but can ping google.com, you don't need it enabled if you're bridging do you? 20:14 <+pekster> You're briding to your own local network? Don't do that... 20:15 < kunji> pekster: Hmm, why not? 20:15 <+pekster> Well, at least cocnnecting from inside doesn't do you any good what-so-ever 20:15 <+pekster> You just have a "2nd" IP address on the same network. Really pointless 20:16 < kunji> pekster: I know, it's for use from outside, I was just trying to do what testing I can from here, since I'm here now. 20:16 <+pekster> If you're trying to redirect traffic, you should probably be using routing (tun) anyway 20:16 <+pekster> You can't test it at all because of your setup. You could partially test if if you were using tun, not tap 20:16 <+pekster> !tunortap 20:16 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 20:16 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 20:16 <+pekster> You really don't want tap for this 20:16 < kunji> But tun won't do for LAN gaming no? It doesn't do broadcast. 20:17 <+pekster> You never mentioned anything about games requiring broadcasts, just redirecting remote traffic 20:17 <+pekster> My supply of crystal balls is running low 20:18 < kunji> pekster: Sorry man, I didn't mention the games because they're secondary, the primary concern is the remote traffic. Maybe I should just run 2 instances? 20:18 <+pekster> That might be easier, just to keep things nicely separated. tap VPNs are more complex since you're invovling both the VPN server and the network you're bridiging too 20:19 <+pekster> Many people mistakenly believe that since it's becomming a part of the existing network that it is easier, but they're ignoring the subtle complexities of combining routing requirements with an Ethernet-layer bridge 20:19 <+pekster> Ideally, just turn on IP forwarding, NAT if you're not using public IP space, and use a routed setup when you want to redirect Internet traffic (it's generally cleaner) 20:20 <+pekster> Normally I hate NAT-based solutions, but I assume your local network is *already* doing NAT upstream, so it's a wash either way 20:20 < kunji> pekster: Yeah, that's very much like what I used to do with pptp. 20:20 <+pekster> Also think of this: do you really want all your "gaming" VPN clients to send *all* their upstream traffic (from youtube, bittorrent, downloading linux distros, etc, etc) through your connection? 20:21 < kunji> pekster: Well, for the gaming bit, it would just be for a few friends, so we're taking like 3 connections for something like Age of Empires II for a few hours. 20:22 < kunji> pekster: So it wouldn't be bad, but well, I'm going to experiment a few days, and then I'll come back and bother you if it's not working out :P 20:23 <+pekster> It could be awful if you're using the same 'redirect-gateway' setup there 20:23 <+pekster> Do you have your friends stop any other downloads they might be doing before joining? Just run 2 separate VPNs and I suspect you'll be a lot happier 20:23 <+pekster> Or, what if they join and end up doing a huge steam update? That all gets redirected if you've asked it to ;) 20:24 < kunji> pekster: Their own internets aren't very good, they already shut everything else off when we game, sometimes they even stay off Skype and we have to type all game. 20:29 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 20:53 -!- Guest29478 [~cosmicgat@113.210.100.30] has joined #openvpn 21:26 -!- Guest29478 [~cosmicgat@113.210.100.30] has left #openvpn [] 22:05 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 22:08 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 23:13 -!- MaxeyPad_ [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has quit [Ping timeout: 255 seconds] 23:22 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 23:39 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn --- Day changed Fri Jan 11 2013 00:04 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has quit [Ping timeout: 246 seconds] 00:06 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has joined #openvpn 00:13 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Quit: Computer has gone to sleep.] 00:30 -!- MaxeyPad [~MaxeyPad@74-131-67-45.dhcp.insightbb.com] has joined #openvpn 00:33 -!- moore1 [~moore@50.7.199.107] has joined #openvpn 00:33 -!- moore1 [~moore@50.7.199.107] has left #openvpn [] 00:43 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 264 seconds] 00:58 -!- mattock_afk is now known as mattock 01:21 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 01:25 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 01:27 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 01:32 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 01:35 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 01:35 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 02:02 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 02:04 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 02:36 -!- PeppiX [~PeppiX@89-96-212-226.ip14.fastwebnet.it] has joined #openvpn 02:37 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 02:38 < PeppiX> hi all 02:38 < PeppiX> I've a question about the last openvpn release (2.3.0) 02:39 < PeppiX> it's not presente the addtap binary 02:39 < PeppiX> how can I add another tap ? 02:39 <+pekster> PeppiX: That's a batch script, not a binary, and you need to install the 'tap-windows.exe' program that should be present in your .\bin\ path releative to your install dir 02:39 <+pekster> When you install it, just overwrite the default location (which should already exist) and select the 'Utilities' option that's unchecked by default 02:40 <+pekster> It's on my todo list to submit a patch to the developers so that's installed by default, but it was removed early on in the 2.3 pre-release cycle :\ 02:41 -!- zamba [marius@flage.org] has joined #openvpn 02:42 < zamba> when trying to establish a openvpn connection i get the following error: 02:42 < PeppiX> @pekster: thanks 02:42 < zamba> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=KG/ST=NA/L...... 02:43 < zamba> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 02:43 < PeppiX> the problem is that I haven't 'tap-windows.exe' in bin (under openvpn) 02:43 < zamba> http://pastie.org/5666688 02:43 < zamba> here's the full error 02:43 < PeppiX> I try again the install with 'options' checked :) 02:45 <+pekster> PeppiX: If you bust open the 'openvpn-install-2.3.0-I001-*.exe' file (* will vary depending on the 32 or 64-bit version) with 7-zip, that installer will also be present in the .\$TEMP\ dir. But I've confirmed it gets installed at \bin\tap-windows.exe in the official 2.3.0 release 02:46 <+pekster> However, in the rc1 and rc2 releases, the installer is *not* present at .\bin\ of the installed program, and only present in the openvpn installer via 7-zip or some other decompressor 02:48 <+pekster> zamba: Looks like the CA file in your config on the side that gives you that 'VERIFY ERROR' message can't tie the certificate the remote peer is presenting to the referenced CA 02:50 <+pekster> The certificate used by the remote peer must be signed by the CA you have a public key for (the CA certificate) on the system performing the verification 02:50 <+pekster> !certverify 02:50 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 02:51 <+pekster> ^^ zamba, maybe that's helpful? 02:51 < zamba> pekster: ok, i'll check it out 02:51 < zamba> thanks :) 02:51 <+pekster> Here's more generic information: 02:51 <+pekster> !pki 02:51 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was 02:51 <@vpnHelper> signed specially as a server (see !servercert) 02:58 < PeppiX> @pekster I've extracted openvpn-install-2.3.0-I001-*.exe with 7-zip and I found tap-windows.exe 02:58 < PeppiX> now...to add another tap do I have to launch and install tap-windows.exe? 02:59 <+pekster> That's just an installer; the openvpn project installer already installed 'tap-windows' for you, but you need to *reinstall* with the optional "utilities" checkbox checked, which will give you the missing batch scripts 02:59 <+pekster> It's an annoyance that 2.3.0 removed it by default 03:00 < PeppiX> oh yeees 03:00 < PeppiX> done :) 03:00 < PeppiX> now I have 2 tap 03:00 < PeppiX> so I can use 2 vpn-certificate at the same time 03:00 < PeppiX> thanks a lot :L) 03:01 <+pekster> No problem :) 03:02 -!- PeppiX [~PeppiX@89-96-212-226.ip14.fastwebnet.it] has quit [] 03:03 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 265 seconds] 03:32 -!- dazo_afk is now known as dazo 03:55 -!- folivora [~out@46.19.34.64] has quit [Read error: Connection reset by peer] 03:55 -!- folivora_ [~out@46.19.34.64] has joined #openvpn 04:04 -!- Suterusu [~EyeR@unaffiliated/suterusu] has quit [Ping timeout: 264 seconds] 04:06 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 04:32 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 04:48 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 04:55 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 04:58 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Operation timed out] 05:06 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 05:12 -!- pie__ [~pie_@94-21-58-185.pool.digikabel.hu] has joined #openvpn 05:12 -!- pie__ [~pie_@94-21-58-185.pool.digikabel.hu] has quit [Changing host] 05:12 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn 05:16 -!- pie___ [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 272 seconds] 05:30 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has joined #openvpn 06:08 -!- dazo is now known as dazo_afk 06:19 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.223.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 06:19 -!- defswork [~andy@141.0.50.105] has quit [Quit: Ex-Chat] 06:31 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:34 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 06:37 -!- igor__ [~igor@pd907e599.dip0.t-ipconnect.de] has joined #openvpn 06:43 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 06:56 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 06:57 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 07:03 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 07:33 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 08:22 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Quit: leaving] 08:25 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 08:40 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 08:46 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 09:00 -!- _-Jon-_ [~jon@2607:f2c0:f00f:2100:5054:ff:fe00:884e] has joined #openvpn 09:04 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:13 -!- _-Jon-_ [~jon@2607:f2c0:f00f:2100:5054:ff:fe00:884e] has quit [Quit: [BX] Reserve your copy of BitchX-1.2c02 for the Apple Newton today!] 09:16 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 09:29 -!- pelle2 [~p@nl102-232-231.student.uu.se] has joined #openvpn 09:29 < pelle2> !welcome 09:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:30 < pelle2> !goal 09:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:40 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:41 < pelle2> i just want to connect to a vpn server run by a company providing this service to let customers get another IP, but when i try to connect to it, i get an error message in the openvpn log, and since this error message occured, i can still connect (complete the initiation sequence), but i can't use the connection for actually sending any data through it 09:41 < pelle2> the error message is the following: ERROR: FreeBSD route add command failed: external program exited with error status: 1 09:42 < pelle2> does anyone have a clue as of what could possible be the cause of this? 09:42 < gladiatr> pelle2, What version of opvpn are you running on your end? 09:45 < gladiatr> the problem stems from running as a non-root user. It should be waiting to drop privileges until after the push options are processed, though. 09:45 < gladiatr> are you using any sort of up script? 09:51 <@ecrist> morning, folks 09:52 < pelle2> well, i'll try to find out, its the client that comes with pfsense 2.1, so i don't really know straight away 10:01 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:04 < pelle2> can't find it 10:04 < pelle2> do you think it's possible to fix on the client side or is it something they have changed on the server side? 10:08 < gladiatr> it is a problem on the client side. 10:08 < gladiatr> openvpn isn't in a state where it has the correct privileges to add the required routes 10:09 < gladiatr> (what the error you recounted indicates) 10:10 -!- ether0 [~ether0@72.22.83.65] has quit [Quit: Changing server] 10:16 < pelle2> hm 10:16 < pelle2> strange 10:17 < pelle2> if i knew enough about these kind of things, i guess i could add the route manually in pfsense 10:17 < gladiatr> I'd ping the pfsense people about it 10:18 < pelle2> yep 10:18 < pelle2> thanks 10:21 -!- master_of_master [~master_of@p57B52A2D.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B54DDA.dip.t-dialin.net] has joined #openvpn 10:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 10:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:31 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 10:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 10:48 -!- mode/#openvpn [+v s7r] by ChanServ 10:51 < gladiatr> np 10:53 -!- igor__ [~igor@pd907e599.dip0.t-ipconnect.de] has quit [Quit: leaving] 10:57 -!- pelle2 [~p@nl102-232-231.student.uu.se] has quit [Remote host closed the connection] 10:58 -!- pelle2 [~p@nl102-232-231.student.uu.se] has joined #openvpn 11:08 -!- raidz_away is now known as raidz 11:31 -!- pelle2 [~p@nl102-232-231.student.uu.se] has quit [Ping timeout: 276 seconds] 11:33 -!- pelle2 [~p@nl102-232-231.student.uu.se] has joined #openvpn 11:43 -!- Devastator [~devas@186.214.14.25] has joined #openvpn 11:44 -!- Devastator [~devas@186.214.14.25] has quit [Changing host] 11:44 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 11:55 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 12:02 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has joined #openvpn 12:02 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has quit [Changing host] 12:02 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:08 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 12:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has joined #openvpn 12:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has quit [Changing host] 12:13 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:15 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 12:17 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:28 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 12:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:44 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Ping timeout: 244 seconds] 12:45 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 13:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has joined #openvpn 13:13 -!- DBordello [~DBordello@2607:ff50:0:1a::10] has quit [Changing host] 13:13 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 13:21 -!- neverme [neverme@201.80.6.95] has joined #openvpn 13:22 < neverme> I was having doubt abount 1 thing on the ccd file, for example I have created the follow config file client1 with ifconfig-push 10.8.0.21 10.8.0.22, what I am having doubt with is, will that limit client1 to acquire the ip ending with 1 or will it get either ip ending .1 or .2 ? 13:22 < neverme> besides that my default openvpn conf is set to start at .50 to ensure lower numbers won't get auto acquired 13:31 -!- anonymuse [anonymuse@cpe-68-173-27-87.nyc.res.rr.com] has joined #openvpn 13:32 -!- anonymuse is now known as intransit 13:32 -!- intransit is now known as intransit[a] 13:33 -!- intransit[a] is now known as intransit 13:34 -!- intransit is now known as JesseWhite 13:41 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 14:01 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has joined #openvpn 14:02 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 14:16 < neverme> So, I might be overlooking it but from what I understood so far If I want to delivery a static ip to each client I need to create a different network to each ? for instance 10.9.1.1 - 10.9.1.2, 10.9.2.1 - 10.9.2.2 and so on or is there a reusable way to do this using the default ip 10.8.0.0 ? or to use it I need to take into account the unusable ips like if I make it 10.8.0.21 - 10.8.0.22 it will also use .20 and .23 so next would start at .25 - .26 ? 14:18 <+pekster> !net30 14:18 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:20 <+pekster> neverme: OpenVPN allocates a fake /30 to each client to support Windows limitations with older tap drivers; that's not required anymore with subnet topology, and Linux/Unix just uses a PtP configuration within the inside of the /30 anyway 14:21 <+pekster> (and by "tap" driver, I mean the Win32-TAP driver in tun mode; "tap driver" is just the driver name) 14:21 < neverme> !topology 14:21 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 14:21 < neverme> thanks will see what I can do 14:22 <+pekster> And, after I just scrolled up to see your earlier questio, yes, you can (and should) push static IPs that are outside of your pool range 14:23 <+pekster> When supporting Windows clients in net30 topology, you must push a pair of IPs inside a /30. In subnet mode you push an IP and netmask 14:24 <+pekster> Linux clients can use any 2 IPs. Technically you can even do this (but you should not, for obvious reasons) push "ifconfig 192.168.0.1 10.1.2.3" 14:25 < neverme> I see thanks a lot :) am looking into the topology option to see what changes I need to make etc really appreciated 14:28 -!- brute11k [~brute11k@89.249.235.33] has quit [Read error: Connection reset by peer] 14:29 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 14:29 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 14:30 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:59 < neverme> pekster so I am testing it now, however the client doesnt seem to get the ip keeps saying TEST ROUTES: 0/0 succeeded 14:59 < neverme> I am using ver 2.3.0 15:01 <+pekster> testing what? It's quite possible to use OpenVPN in a configuration that does not set any routes (hence you will need "0 of 0" network routes added.) Post some configs, because I have no clue what your setup is 15:06 < neverme> my server conf http://pastebin.com/5kDAQVEe my client1 ccd is "ifconfig-push 10.8.0.21 10.8.0.22" without double-quotes, my client1 config is equal to the sample file exept I changed the IP it needs to connect to 15:07 < neverme> im running the basic conf and am trying to assign ips 21~30 to 10 pcs 15:07 <+pekster> The 2nd argument to 'ifconfig-push' needs to be a subnet mask, not an IP 15:08 <+pekster> See the --ifconfig-push and --ifconfig parameters in the manpage for usage details, but you need a netmask there (so, 255.255.255.0 in your setup) 15:08 < neverme> I see so when I use topology subnet it must be the netmask ? 15:08 <+pekster> Yup 15:08 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 15:08 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 15:08 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 15:08 < neverme> and should I still use it as 252 or as 0 ? because there will be more than 1 sequential ip 15:08 <+pekster> You directly set a /24 netmask in subnet topology 15:09 <+pekster> The /30 stuff is for net30 topology only 15:11 < neverme> pekster sweet its working like a charm now, and yes it makes sense now I was a bit confused because with the default /30 it asked me for the ips 15:11 < neverme> thanks a lot for taking the time to help this noob ;) 15:12 <+pekster> np. Some other small suggestions: get rid of the 'ifconfig-pool-persist' option; it's mostly worthless, and can potentially cause issues (edge cases, but I've seen reports of them when duplicate IPs or something get in there, for w/e reason.) Also, if you're supporting clients that get pool IPs (ie: not staticly set in ccd files) you should set your ifconfig-pool range outside the static range 15:14 < neverme> yeah I am using .21 to .30 and the pool starts at .50 15:15 <+pekster> Not in that server setup it doesn't 15:15 < neverme> will remove the pool persist it was originally from the default config 15:15 <+pekster> The 'server' directive expands internally (see --server in the manpage for details) to use the entire range minus the IP for the server and reserved network/"broadcast" IPs 15:15 < neverme> oh, yes your right , i was reading hte bridge option 15:16 <+pekster> You can override the pool range by defining your own ifconfig-pool directive below the 'server' directive 15:16 < neverme> will do that now thanks a lot ;) 15:16 <+pekster> I think (I don't generally use the server directive - you might actually need to expand the server directive yourself. I'm not sure on that point, actually) 15:19 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has joined #openvpn 15:22 < neverme> per man ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 so it should be fine if I just add below it ifconfig-pool 10.8.0.50 10.8.0.100 255.255.255.0 right ? 15:23 < neverme> below the server* 15:23 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 15:25 <+pekster> I guess not: Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly 15:25 <+pekster> So, expand the server directive yourself 15:25 -!- Drone4four [~gnull@CPE78cd8e66c1f0-CM78cd8e66c1ed.cpe.net.cable.rogers.com] has quit [Quit: Leaving] 15:27 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Ping timeout: 276 seconds] 15:32 < neverme> pekster im rather confused by "expand" it, by that you mean manually change the the startup script and/or manually start the server by defining my own ifconfig, and ifconfig-pool ? 15:33 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 17.0.1/20121128204232]] 15:34 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 15:40 -!- MeanderingCode [~Meanderin@71-213-184-243.albq.qwest.net] has quit [Read error: Connection reset by peer] 15:43 <+pekster> neverme: Expand the directive. So instead of using "server 10.8.0.0 255.255.255.0" define 'mode server' 'tls-server' 'push "topology subnet"' 'ifconfig 10.8.0.1 255.255.255.0' 'push "route-gateway 10.8.0.1"' 'ifconfig-pool 10.8.0.50 10.8.0.254' 15:43 <+pekster> etc 15:44 <+pekster> Just read the --server example in the manpage; it shows you all the expansion you would need to do 15:54 < neverme> aha now I understood it, slight change I had to do was server 10.8.0.1 10.8.0.2 rather then netmask besides that it seems to be working just fine with it pool is working 50 and above and the static ips are setting just fine. thanks a lot 16:00 -!- brute11k [~brute11k@89.249.235.33] has quit [Quit: Leaving.] 16:02 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 16:03 -!- neverme [neverme@201.80.6.95] has quit [Quit: Leaving] 16:05 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 16:12 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 16:16 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 16:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds] 16:19 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 16:21 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 16:47 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 16:50 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 16:58 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn ["WeeChat 0.3.9.2"] 16:59 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out] 17:09 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:15 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 17:24 -!- Devastator [~devas@186.214.111.24] has joined #openvpn 17:24 -!- Devastator [~devas@186.214.111.24] has quit [Changing host] 17:24 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 17:27 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 18:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 244 seconds] 19:13 -!- raidz is now known as raidz_away 19:13 -!- blackness [~black@mobile.blackmajic.org] has joined #openvpn 19:37 -!- crhylove [~rthornton@grps-edge-4.visp.net] has joined #openvpn 19:37 < crhylove> Hi, I'm trying to get a Linux Mint laptop onto my corporate vpn. 19:37 < crhylove> Any idea what settings to use under advanced? 19:38 <+rob0> Not sure what you're asking, but it's probably something about your GUI/frontend, not openvpn itself. 19:39 <+rob0> Ask your VPN administrator how to configure the client. 19:43 < crhylove> Yeah, he's lagging. :) 19:45 -!- u0m3 [~Radu@92.80.72.203] has quit [Read error: Connection reset by peer] 20:05 < crhylove> OK, got my vpn setup. 20:05 < crhylove> What's the best rdp client these days? 20:05 < crhylove> remmina? 20:08 < crhylove> I see freerdp-x11, but I don't see a shortcut for it, and it doesn't launch from the terminal 20:08 < crhylove> :/ 20:29 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 20:44 -!- crhylove [~rthornton@grps-edge-4.visp.net] has quit [Quit: Leaving] 20:44 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn 20:45 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds] 20:45 < CrashTM> is it possible to disable a opvnvpn conenction that i gave to someone? 20:47 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 20:53 < blackness> http://paste.blackmajic.org:81/index.php?show=28 this describes my problem in some detail. both systems in this is debian squeeze..any ideas on why im having TLS issues? 21:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 21:23 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 21:51 <+rob0> CrashTM, either revoke the certificate (and use your CRL on the server), or use --ccd-exclusive. 22:08 <+pekster> There's also a 'disable' option you can put in a ccd file specifically for the disabled cert, although it's considered more proper to revoke and generate a CRL if this is a permenant revocation 22:11 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Read error: Connection reset by peer] 22:15 < blackness> i got OpenVPN to connect, but when i try using it i cannot connect to anything but i can resolve hosts just fine just cant 'talk' to remote systems, any ideas why? 22:17 <+pekster> My guess is that your DNS is still using your LAN, yet you have redirected traffic across the VPN where the remote endpoint fails to properly send it upstream 22:17 <+pekster> Post your server & clienet config files for further analysis: 22:17 <+pekster> !config 22:17 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 22:17 <+pekster> Not that, let's try this one: 22:17 <+pekster> !configs 22:17 < blackness> one second..ill paste. 22:17 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 22:18 < blackness> http://paste.blackmajic.org:81/index.php?show=29 22:21 <+pekster> And something basic like 'ping 4.2.2.1' fails after you connect blackness ? 22:22 < blackness> yes 22:22 < blackness> it just 'hangs' 22:23 < blackness> im not using any firewall period. 22:23 < blackness> and DNS works perfectly. dont matter if i use udp, tcp for openvpn. 22:23 <+pekster> Looks like there's something wrong on the server not handling the forwarding properly. Have you properly set up source-NAT? 22:23 <+pekster> !redirect 22:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:23 <@vpnHelper> http://ircpimps.org/redirect.png 22:24 < blackness> !def1 22:24 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 22:24 <+pekster> You need both IP forwarding enabled and NAT configured. If you want a double-check of your NAT setup, post the output of 'iptables-save' and verify that 'cat /proc/sys/net/ipv4/ip_forward' returns the value of '1' 22:24 < blackness> should i push that from the client or server ? 22:24 < blackness> im not using iptables. 22:25 <+pekster> The way you're pushing the redirect-gateway value is fine 22:25 < blackness> and /proc/sys/../ip_forward returns 1 on the server. 22:25 <+pekster> (the push you have on the client for explicit-exit-notify is however pointless 22:25 < blackness> okay. 22:25 <+pekster> You need to use some form of NAT; if you're not using netfilter (ie: iptables) how are you performing NAT? 22:25 < blackness> i wasnt aware i needed iptables. 22:25 <+pekster> The bot's reply for "redirect" I posted above indicates NAT is required 22:25 < blackness> do i need a extensive iptables setup for that? 22:26 <+pekster> Nope 22:26 <+pekster> !linnat 22:26 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 22:26 < blackness> thats all i need to do? 22:26 <+pekster> IP forwarding also needs to be enabled: 22:26 <+pekster> !ipforward 22:26 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 22:26 <+pekster> !linipforward 22:26 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 22:27 < blackness> so i issue the first line, then the second line and thats it? 22:27 < blackness> i dont use iptables much :P 22:27 <+pekster> Right. Those only stay in memory until reboot, so you should use your distro's preferred way to make both changes persistent 22:27 < blackness> thats not an issue. :) 22:27 < blackness> i got a debian firewall-save i can modify 22:27 <+pekster> /etc/sysctl.conf is usually pretty supported across distros, but every distro does firewall save/restore differently 22:28 < blackness> but im going to test it temp incase im locked out :P 22:28 <+pekster> Yup 22:28 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 22:28 <+pekster> A cronjob to reboot 10 minutes into the future never hurts either ;) 22:28 < blackness> its a VPS..xm reboot domain :P 22:29 <+pekster> It's more fun when you lock yourself out of a physical hardware system that's in a different state with no remote hands ;) 22:33 -!- black [~black@vdsl001.client.black.blackmajic.org] has joined #openvpn 22:33 < black> ok..i got it working. 22:33 -!- blackness [~black@mobile.blackmajic.org] has quit [Ping timeout: 252 seconds] 22:33 < black> now to fix the ident 22:33 -!- black is now known as Guest90493 22:33 -!- Guest90493 [~black@vdsl001.client.black.blackmajic.org] has left #openvpn [] 22:33 -!- blackness [~black@vdsl001.client.black.blackmajic.org] has joined #openvpn 22:34 < blackness> sorry for the j/p.. 22:34 < blackness> now to figure out how to open the ports..so identd will work and what not 22:34 <+pekster> You want to run an identd on the VPN server, or forward it to your connected client? 22:35 <+pekster> (the former is easier; the latter requires a DNAT rule and binding your IP to the target IP of that rule, or opgionally doing that dynamically via a --client-connect ovpn script parameter) 22:35 < blackness> i got oidentd running on the VPN host. 22:35 < blackness> but it isnt working.. 22:35 <+pekster> Now that part I can't help you with :P 22:35 < blackness> atleast i dont think it is. 22:36 * pekster shines his "~" in front of his user 22:36 < blackness> yeah..its running but isnt working. 22:36 < blackness> i just tested it 22:36 <+pekster> I'll settle for using an X509-secured TLS connection to Freenode instead of having identd work :P 22:36 < blackness> i guess i gotta fwd all port traffic to my client? 22:37 <+pekster> You can run identd wherever you'd like; how you get it to reply with the expected value is something I have no experience with. I just send TCP reset packets on my ident port 22:37 <+pekster> (eg: IRC bouncers somehow tie the reply to the user the account is bound to) 22:38 <+pekster> I don't run a bouncer, so I only care about actively rejecting the ident query from the IRC server so I don't have to wait 10 seconds while it "tries" to get a reply on port 113 22:43 < blackness> i got oidentd running on vpn host, and vpn client and it fails..guess i gotta set the vpn dhcp ip 22:43 < blackness> root oidentd 3894 tcp4 10.8.0.6:113 *:* LISTEN :P 22:44 <+pekster> That looks like your client; a request from the server performing the connection (such as the IRC server) will reach your public IP on your VPN server, not that RFC1918 private address 22:46 < blackness> hm. 22:47 <+pekster> That's why you need SNAT to get out; your private 10.8.0/24 network doesn't actually exist as far as the rest of the Internet is concerned 22:48 < blackness> hm. 22:48 < blackness> idk if i got SNAT working currently 22:48 < blackness> i thought all the traffic was passed to the client? 22:49 <+pekster> The reply traffic is, thanks to conntrack 22:49 < blackness> what about request? 22:49 <+pekster> What request? When the client sends data to the VPN server for the outside web? 22:50 < blackness> when i send out a connection to IRC, when the IRC server request information, how would it reach the client? 22:51 < blackness> like, the HostVPN is listening *:113, should it reply what is being forwarded by the client? 22:51 <+pekster> conntrack keeps track of stateful connections, so a reply to a translated session that the client has initiated is sent back to the client 22:51 < blackness> hmm..seems this going to take a little more research :P 22:51 <+pekster> It doesn't work the other way around, because "the Internet" has no way to reach your "10.8.0.6" system. I could be using that on my private network as my home LAN 22:51 < blackness> or im going to have to write a iptables.sh aswell. 22:52 < blackness> what if i direct incoming:113 to the IP of the local lan? 22:52 <+pekster> Right, that's called destination-NAT, or DNAT, and I noted that solution above 22:52 < blackness> ahh 22:52 < blackness> i gotta learn dnat before i cann write all i need 23:03 < blackness> got it working :) 23:03 < blackness> thanks pekster 23:31 < blackness> well, i found a small bug..with my fw, i cant connect to my VPS. how do i open the ports to the host so i can SSH/VPN in? 23:50 -!- blackness [~black@vdsl001.client.black.blackmajic.org] has quit [Ping timeout: 252 seconds] --- Day changed Sat Jan 12 2013 00:07 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 00:12 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Quit: Leaving] 00:15 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 00:21 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 264 seconds] 00:26 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 01:07 -!- spricer [~mix@192-0-132-186.cpe.teksavvy.com] has joined #openvpn 01:08 < spricer> Hi, is there a way to pass certificate password to configuration file? 01:09 <+pekster> spricer: See the --askpass option in the manpage. If you're going to use that, you're really better off just decrypting the private key in the first place 01:12 < spricer> You are right I can create new certificate but just still curios in dark side :) txs 01:12 <+pekster> You don't need to create a new "Certificat" at all 01:12 <+pekster> You can decrypt the private key anytime you want 01:12 <+pekster> Or re-encrypt it with a different passphrase 01:12 <+pekster> Also on point: you don't encrypt the certificate; that's public knowledge. You encrypt the private key 01:13 < spricer> that is also true... 01:13 <+pekster> 'openssl rsa -' will output usage on managing an existing RSA key 01:14 <+pekster> eg: to decrypt one, use 'openssl rsa -in current.key -out new.key' or to set a passphrase or change it to a new one, use 'openssl rsa -in current.key -out new.key -des3' 01:44 -!- spricer [~mix@192-0-132-186.cpe.teksavvy.com] has quit [Quit: Leaving] 02:15 -!- brute11k [~brute11k@89.249.235.33] has joined #openvpn 02:30 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 244 seconds] 02:40 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 03:02 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 03:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 04:15 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 260 seconds] 04:15 -!- black_ [black@vdsl001.client.black.blackmajic.org] has joined #openvpn 04:15 -!- black_ is now known as blackness 04:20 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 04:22 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Ping timeout: 248 seconds] 04:24 -!- blackness [black@vdsl001.client.black.blackmajic.org] has quit [Ping timeout: 244 seconds] 04:26 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 04:27 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 04:27 -!- blackness [black@vdsl001.client.black.blackmajic.org] has joined #openvpn 04:42 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 04:43 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 04:46 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has joined #openvpn 04:50 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 05:07 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 05:13 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 05:29 -!- Mhrok [~mhrok@178-36-52-42.adsl.inetia.pl] has joined #openvpn 05:29 < Mhrok> Hello! 05:43 -!- Mhrok [~mhrok@178-36-52-42.adsl.inetia.pl] has quit [Quit: WeeChat 0.4.0-rc1] 06:27 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 06:34 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 06:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:59 -!- p3rror [~mezgani@2001:0:53aa:64c:74:6e1a:d607:4b7d] has joined #openvpn 07:04 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Excess Flood] 07:05 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 07:11 -!- p3rror [~mezgani@2001:0:53aa:64c:74:6e1a:d607:4b7d] has quit [Remote host closed the connection] 07:19 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 07:21 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 07:23 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 07:25 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:30 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 07:42 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 07:47 -!- cosmicgate [~root@216.17.109.26] has quit [Remote host closed the connection] 07:48 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 07:50 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 07:50 -!- cosmicgate is now known as asdasdasd 07:56 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 08:03 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 08:06 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-uxbspexqfkwdnydz] has quit [Quit: Planned maintenance, back soon] 08:06 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-wznbqzxmeppumdbt] has quit [Quit: Planned maintenance, back soon] 08:34 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 08:40 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 08:43 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 08:45 -!- asdasdasd [~root@216.17.109.26] has quit [Ping timeout: 240 seconds] 08:51 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 08:56 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 08:58 -!- CEnnis91 [uid3543@gateway/web/irccloud.com/x-jwtrifiamymywmib] has joined #openvpn 08:59 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:02 -!- u0m3 [~Radu@92.80.72.203] has quit [Client Quit] 09:03 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-layqgdbowlknfrko] has joined #openvpn 09:04 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:11 -!- blackness [black@vdsl001.client.black.blackmajic.org] has quit [Quit: Leaving] 09:19 -!- u0m3 [~Radu@92.80.72.203] has quit [Read error: Connection reset by peer] 09:22 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 09:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds] 10:13 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 10:14 -!- valparaiso [~valparais@ARennes-257-1-179-35.w2-13.abo.wanadoo.fr] has left #openvpn [] 10:20 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 10:21 -!- master_of_master [~master_of@p57B54DDA.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B5338D.dip.t-dialin.net] has joined #openvpn 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 10:26 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:38 -!- Assid [~kvirc@unaffiliated/assid] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 10:59 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:04 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:04 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:06 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 11:22 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 11:29 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 11:36 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 11:42 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 11:47 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 11:54 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 12:05 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 12:11 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 12:14 -!- [1]JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- \o/] 12:15 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 12:15 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 12:18 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 12:21 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 12:48 -!- brute11k1 [~brute11k@89.249.235.33] has joined #openvpn 12:49 -!- brute11k [~brute11k@89.249.235.33] has quit [Ping timeout: 244 seconds] 12:59 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 13:02 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 13:06 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 13:12 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 13:19 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 13:28 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 13:36 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 13:42 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 13:49 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 13:50 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 13:54 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Client Quit] 13:54 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 14:00 -!- ngharo [~ngharo@2001:1af8:4400:a049::] has quit [Ping timeout: 264 seconds] 14:02 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 14:04 -!- brute11k1 [~brute11k@89.249.235.33] has quit [Ping timeout: 252 seconds] 14:06 -!- ngharo [~ngharo@2001:1af8:4400:a049::] has joined #openvpn 14:09 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds] 14:22 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 14:33 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 14:35 -!- Porkepix_ [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 14:36 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 14:41 -!- brute11k [~brute11k@89.249.230.77] has quit [Quit: Leaving.] 14:52 -!- Porkepix_ is now known as Porkepix 14:57 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 272 seconds] 15:00 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 15:02 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 260 seconds] 15:06 -!- gladiatr [~usualfrog@openvpn/community/support/gladiatr] has joined #openvpn 15:11 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 15:14 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 15:16 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 15:35 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 15:38 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 15:58 -!- gladiatr [~usualfrog@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 16:06 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 246 seconds] 16:07 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn 16:14 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 16:15 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 16:17 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Read error: Connection reset by peer] 16:18 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 16:18 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Client Quit] 16:50 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds] 16:54 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 17:15 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 17:17 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 17:17 -!- mode/#openvpn [+o vpnHelper] by ChanServ 17:23 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 17:46 -!- CrashTM [~CrashTM@98.144.34.109] has joined #openvpn 17:54 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Remote host closed the connection] 18:18 -!- CrashTM [~CrashTM@98.144.34.109] has quit [Ping timeout: 272 seconds] 18:31 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn 18:39 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Read error: Connection reset by peer] 18:43 -!- Z_Analyzer [~lipalm@173-164-219-57-SFBA.hfc.comcastbusiness.net] has joined #openvpn 18:44 < Z_Analyzer> hello - is there a way to 'suspend', not revoke, a user account (CERT) on the server side ? 19:02 < BtbN> revoke the cert, and later un-revoke it? 19:05 < dioz> lets not split hairs 19:05 < MagisterQuis> Z_Analyzer: If you want to ban for a certain amount of time, use an at job. 19:07 < Z_Analyzer> I'm trying to use a ccd file - that doesn't seem to work ) no idea i could revoke and un-revoke later without sending new keys 19:07 < Z_Analyzer> MagisterQuis, what would you put in the job ? 19:07 < MagisterQuis> Z_Analyzer: The command to unrevoke a cert. 19:08 < MagisterQuis> I have to look it up every time. 19:08 < MagisterQuis> http://blog.abhijeetr.com/2012/06/revokeunrevoke-client-certificate-in.html 19:08 <@vpnHelper> Title: Blog by Abhijeet Rastogi about Linux: Revoke/Unrevoke a client certificate in OpenVPN (at blog.abhijeetr.com) 19:10 < MagisterQuis> Even better http://robert.penz.name/21/ovpncncheck-an-openvpn-tls-verify-script/ 19:10 < Z_Analyzer> yeah i'm checking out the tols-verify thing 19:10 < Z_Analyzer> tls* 19:10 <@vpnHelper> Title: ovpnCNcheck an OpenVPN tls-verify script | Robert Penz Blog (at robert.penz.name) 19:10 < Z_Analyzer> tnx 19:10 < MagisterQuis> Google. 19:10 < MagisterQuis> http://google.com 19:10 <@vpnHelper> Title: Google (at google.com) 19:10 < MagisterQuis> Heh. 19:11 < Z_Analyzer> yeah i saw the revoke part, most FAQs and blogs talk about revoking being final - i was missing the unrevoke link 19:13 <+pekster> Z_Analyzer: Put the 'disable' direcive in a ccd file 19:13 < Z_Analyzer> pekster, i tried, that didn't work 19:16 <+pekster> Hmm, I thought that was valid (trying to confirm now.) You could also use a --client-connect script that simply tests for the $common_name you're interested in and reject it by existing non-zero status 19:17 <+pekster> if ["$common_name" = "invalid X509 CN from your cert"]; then exit 1; fi; exit 0 19:17 <+pekster> Or such 19:17 < MagisterQuis> Neat idea. 19:17 < MagisterQuis> Benefit of that is you could use a database for scalability and to prevent someone trying to read and write a text file simultaneously. 19:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:24 -!- Crosshair84 [~Crosshair@200.49.30.11] has joined #openvpn 19:24 < Crosshair84> hello 19:25 < Crosshair84> I need help I want to make a site to site vpn but I have some problems 19:25 < Crosshair84> I don't know what to do 19:26 < Crosshair84> can you helpme? 19:26 <+pekster> Crosshair84: Do you have basic connectivity right now? Until you do you can't proceed further 19:26 < Crosshair84> yes 19:26 < Crosshair84> the client is conected 19:26 < Crosshair84> but 19:26 < Crosshair84> the problem is 19:26 < Crosshair84> from the server lan side I can't reach the client 19:26 < Crosshair84> and viceversa 19:27 <+pekster> You have LANs behind both the server and client? 19:27 <+pekster> Or just one? 19:27 < Crosshair84> yes from both 19:28 <+pekster> You should pick one at a time to get working. We have some handy guides and a flowchart that describes all the steps you need: 19:28 <+pekster> For the LAN behind the sever, see this: 19:28 <+pekster> !serverlan 19:28 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 19:28 <+pekster> For the LAN behind the client: 19:28 <+pekster> !clientlan 19:28 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 19:28 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 19:31 < Crosshair84> ok 19:32 < Crosshair84> !ipfoward 19:33 <+pekster> !ipforward 19:33 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 19:33 <+pekster> (you missed the 'r') 19:34 < Crosshair84> !winipforward 19:34 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 19:36 < Crosshair84> I just change in my windows client 19:37 < Crosshair84> I didn't know about the forward in the server and client, I just follow the HOW TO of the openvpn site 19:37 < Crosshair84> !linipforward 19:37 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 19:56 < Crosshair84> pekster, THANK YOU 19:57 < Crosshair84> I think that maybe the problem is the ipforwarding in both client and server 19:57 < Crosshair84> I made the changes in both and I can reach the 2 networks fine 19:58 < Crosshair84> It will be good if you add this information in the HOWTO of the offcial page 20:05 < Z_Analyzer> pekster: i ended up implementing your suggestion - works great 20:05 < Z_Analyzer> tnx 20:23 <+pekster> Z_Analyzer: np. I was busy earlier, but I just tested the 'disable' directive in a ccd file and it works as expected by rejecting the client 20:24 < Z_Analyzer> pekster, no luck for me with that one 20:24 <+pekster> I get this in my server-side log when attempting to connect with a CN of "client" "MULTI: client has been rejected due to 'disable' directive" 20:25 <+pekster> At least under 2.3.0 (I'm not sure when that option was added; you can check your manpage for the "--disable" parameter, which only ever makes sense for a ccd file) 20:25 < Z_Analyzer> pekster, i have 2.1.3 20:25 <+pekster> Ah, that may be too old to support that 20:26 < Z_Analyzer> Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client 20:26 < Z_Analyzer> due to key or password compromise. Use a CRL (certificate revocation list) instead (see the --crl-verify option). 20:26 < Z_Analyzer> all i got about it 20:27 <+pekster> Are you *sure* your ccd file is named properly (no .txt or any suffix to the file) and that it's the correct case on case-sensitive OS? 20:27 <+pekster> verb 5 on the server should at least confirm it finds the ccd file when the client connects 20:27 < Z_Analyzer> i gave the file an extension 20:27 < Z_Analyzer> hm 20:27 <+pekster> You can'd do that 20:27 <+pekster> Unless you actually signed your cert like "MyClient.txt" 20:28 <+pekster> ie: CN=SampleName.txt 20:28 <+pekster> Most people don't do that ;) 20:29 < Z_Analyzer> hmmm that must be it 20:29 < Z_Analyzer> a bit obscure 20:29 <+pekster> Not at all 20:29 <+pekster> Manpage says "OpenVPN will look in this directory for a file having the same name as the client's X509 common name. If a matching file exists, it will be opened and parsed for client-specific configuration options." 20:30 <+pekster> So, if a file does not exist named the same (yes, that's EXACTLY the same) as the client's X509 common name, it will not be parsed 20:30 < Crosshair84> PEKSTER thanks for your help 20:30 <+pekster> Crosshair84: np 20:30 < Crosshair84> good night bye 20:31 -!- Crosshair84 [~Crosshair@200.49.30.11] has quit [] 20:46 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 20:50 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 21:10 -!- thermoman [~thermoman@idle.foobar0815.de] has joined #openvpn 22:04 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 22:05 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Read error: Connection reset by peer] 23:28 -!- blackness [black@vdsl001.client.black.blackmajic.org] has joined #openvpn --- Day changed Sun Jan 13 2013 00:14 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 264 seconds] 00:22 -!- spricer [mix@anon-163-109.vpn.ipredator.se] has joined #openvpn 00:29 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 00:29 -!- tjz [~tjz@unaffiliated/tjz] has quit [Client Quit] 00:31 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 01:00 -!- mix_ [~mix@192-0-132-186.cpe.teksavvy.com] has joined #openvpn 01:02 -!- spricer [mix@anon-163-109.vpn.ipredator.se] has quit [Ping timeout: 252 seconds] 01:26 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 01:28 < anth0ny> trying to set up a vpn for the first time, connecting to my a server running at my home. I'm having trouble understanding what the role of 'push "dhcp-option DOMAIN yourdomain.com" ' in the standard example server.conf files does. What would my 'yourdomain.com' be? 01:31 <+pekster> anth0ny: You don't need it for a basic setup like that. It's useful in networked domain environments to get DNS suffix search to work with a client's resolver (eg: for an office running a Windows domain.) 01:31 < anth0ny> got it, thanks 01:53 < anth0ny> If I'm trying to set up a VPN to tunnel traffic through my home computer, does that have to be a 'bridged vpn'? 01:54 <+pekster> no, stick with routed 01:54 < anth0ny> yeah? and that will let me access the internet over the VPN? 01:54 <+pekster> See: 01:54 <+pekster> !redirect 01:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 01:54 <@vpnHelper> http://ircpimps.org/redirect.png 01:55 < anth0ny> basically, my goal is to have a router running OpenWRT in Canada as an OpenVPN client, so that I can connect to that and tunnel traffic through the VPN to a server running at my home in the US, allowing me to appear to the internet as if I'm in the US 01:56 < anth0ny> does that sound feasible with routed VPN? 01:57 < anth0ny> awesome flow chart 01:57 <+pekster> Yes, there's absolutely no need for bridging in that setup 01:57 <+pekster> !tunortap 01:57 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 01:57 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 01:58 < anth0ny> awesome 01:58 < anth0ny> thanks again 02:12 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 246 seconds] 02:14 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 02:18 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 02:18 -!- brute11k [~brute11k@89.249.230.77] has quit [Read error: Connection reset by peer] 02:18 < anth0ny_> pekster, this diagram you linked as been helping me so much 02:19 < anth0ny_> I've gotten to "Is NAT enabled on the VPN subnet?", not sure how to check that or to do that, any pointers? 02:19 <+pekster> !nat 02:19 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 02:21 < anth0ny_> the fact that you have this down in such an automated fashion is making feel like my questions aren't very original... 02:21 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 02:23 <+pekster> The bot has maybe 100 entries or so for common questions; if people ask it, the bot tends to get an entry added to make the job of voulenteers here easier 02:26 -!- mattock is now known as mattock_afk 02:28 -!- anth0ny__ [~anth0ny@c-67-171-37-67.hsd1.wa.comcast.net] has joined #openvpn 02:28 < anth0ny__> pekster, well, it works, thanks so much for your advice! 02:29 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 255 seconds] 02:30 <+pekster> Glad you got it figured out 02:39 < mix_> Have connected firewall as client to OpenVPN server. Is it possible to conect (using RD) from system behind that firewall (LAN IP address) to system behind OpenVPN server (IP address of VPN range)? 02:41 <+pekster> mix_: So you have basic connectivity between your 2 VPN peers and want to get communication working with LANs behind each? 02:46 < mix_> I think there is explanation for that "site to site VPN". What I am asking can I connect from LAN behind firewall to VPN network directly. 02:47 <+pekster> To the VPN network, or to a client on the LAN behind the opposing VPN peer? 02:48 <+pekster> If you have: [LAN 1] --- [VPN client] -- -- [VPN server] -- [LAN 2] do you want hosts on LAN1 to reach hosts on LAN2? Or just the VPN subnet (in which case LAN2 doesn't even matter) 02:48 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 02:48 < mix_> Yes but client behind the opposing VPN peer already has VPN range address so I do not need to connect ot its LAN address. 02:49 < mix_> yes 02:49 <+pekster> You can't overlap network ranges, if that's what you're doing 02:49 < mix_> LAN 2 does not matter 02:49 <+pekster> The network range for the virutal VPN space can't collide with the LANs addressing scheme 02:50 < mix_> I want this: Or just the VPN subnet (in which case LAN2 doesn't even matter) 02:50 -!- anth0ny__ [~anth0ny@c-67-171-37-67.hsd1.wa.comcast.net] has quit [Ping timeout: 256 seconds] 02:50 <+pekster> How do the clients "behind" the VPN client "already have" a VPN network IP? You can't do that 02:50 <+pekster> You need to route traffic between uniquely numbered networks to do that 02:51 <+pekster> Maybe this will explain a bit better: 02:51 <+pekster> !clientlan 02:51 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 02:51 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 02:52 < mix_> Let me try to explain it better if I can :) 02:54 <+pekster> Sure. And if you have a VPn set up already with basic connectivity between your VPN server & client, posting your server config to a pastebin site might help too. Add your LAN network info (network range and default gateway, along with the client's IP on that network) and it should help paint a clearer picture of what you have to work with 02:55 < mix_> I am road warrior which connects to server and than I am able to RD to another machine on that network (VPN network) (both ways). That works as a charm. 02:56 < mix_> road warrior from windows system... 02:57 < mix_> In meantime I installed pf sense and used same client configuration to connect to server which works also fine 02:59 <+pekster> To get bi-directional connectivity with clients behind your VPN client (be it pfSense or whatever else) you need to follow that !clientlan posting the bot gave you 02:59 < mix_> so my question is can I connect system behind pfsense (routing!?) to VPN Network that pf sense is connected to? 02:59 <+pekster> Right, see the !clientlan output from above 03:00 <+pekster> This requires supporting changes on both the client LAN and server-side LAN, in addition to making OpenVPN at both peers aware of the networks accessible through the VPN link 03:00 <+pekster> The flowchart explains all the OpenVPN and routing steps required 03:03 < mix_> "and server-side LAN" ....even if I do not connect to that LAN? 03:03 < mix_> I am connecting to VPN address... 03:04 <+pekster> In order to get packetsk *back* to the client LAN the server-side routing infrastructure (your gateways and such there) need routes 03:04 <+pekster> packets* 03:04 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 03:04 <+pekster> So, if your LAN is, f.eg. 192.168.0.0/24 and the VPN is 10.8.0.0/24, with a server-LAN of 10.20.30.0/24, when a system on 10.20.30.x wants to send return traffic to 192.168.0.x, it needs a way to route back there 03:05 <+pekster> So yes, your *server*-side LAN needs a route *back* to your client-side LAN addressing 03:05 <+pekster> Or you can NAT stuff, but if you don't control the server-side VPN or network infrastructure, I suspect you're asking for help doing something you're not supposed to be doing 03:06 <+pekster> (in which case just add routes for the server-side LAN to your clienet LAN's gateway and SNAT traffic that goes across the link. And hope your netadmin doesn't find out what you're doing) 03:07 <+pekster> For a less theoretical discussion of your problem, I need to see some configuration files and network setup 03:07 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:07 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 03:08 < mix_> configuration is very simple 03:08 < mix_> http://pastebin.com/WqYSddbw 03:08 < mix_> this is client side 03:08 < mix_> I wasn hoping that PF sense could handle routing to/from VPN network 03:08 <+pekster> That doesn't help. What I really want is server-side configuration 03:09 <+pekster> I'm beginning to suspect you don't have access to that and aren't supposed to be connecting client-side devices to your corporate network 03:10 <+pekster> If you wish to break the rules anyway, do what I said above: add routes on your LAN's default gateway to send traffic bound for the server-side network ranges to your LAN's VPN client IP, and perform NAT to masquerade the entire client LAN. And be prepared to face whatever problems that causes you if clever people at the office see what you've done (it's a lot easier than you think to spot this kind of thing) 03:11 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:12 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 03:13 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has quit [Ping timeout: 240 seconds] 03:17 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:17 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 03:19 < mix_> huh it took me a while to pull conf 03:19 < mix_> http://pastebin.com/qpxBCfG3 03:20 <+pekster> Does your ccd setup push a route to 192.168.10.1 or a network encompasing it? 03:21 <+pekster> If not, sending the connecting clients a DNS entry to that IP is worthless, and not going to work since client's can't reach it 03:22 <+pekster> In order to route to a client LAN, you need a route to the client LAN in your server config, you need an iroute in that client's ccd entry for that network, and your server-side LAN environment needs to route packets for the client LAN to your VPN server 03:22 <+pekster> Which is, in fact, all expalined for you in the !clientlan output 03:25 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 03:25 < mix_> I have that iroute LAN 03:26 < mix_> and everything is working great (both ways) 03:26 < mix_> but it seems that only way is "site to site setup" 03:27 < mix_> in CCD I have: ifconfig-push 192.168.13.78 192.168.13.77 03:27 < mix_> iroute 192.168.1.0 255.255.255.0 03:27 < mix_> am I still suspect :) 03:28 <+pekster> The server still needs a standard 'route' entry for that in addition to the iroute 03:28 <+pekster> Did you miss that part of the flowchart? 03:28 < mix_> No I will read that thanks... 03:28 <+pekster> mix_: No, but usually people who try to avoid sharing config files tend to be looking to break rules at thier jobs/networks/providers 03:29 <+pekster> Or are paranoid, in which case they shouldn't be taking advice for free on the Internet ;) 03:30 <+pekster> Also, that DNS option is still worthless since you aren't actually routing clients to that IP 03:31 < mix_> sigh... it is 4.30 here, I have like 30tabs open 5 conf files and had to disable everything on pfsense before I could log to work and pull everything (strip out comments etc) :)) 03:31 <+pekster> Well, I've identified several problems for you, including why your client LAN setup is busted (if you'd read the flowchart when I linked it 40 minutes ago you would already know this) and identified that your DNS server push won't work either 03:32 <+pekster> So, you're probably better off getting some info. One would hope 03:32 < mix_> You are right for DNS - leftover when I was testing dns in that network 03:38 < mix_> txs pekster 03:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:39 -!- mix_ [~mix@192-0-132-186.cpe.teksavvy.com] has quit [Quit: Leaving] 03:40 * pekster sighs 03:45 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 04:00 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 04:01 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 04:05 -!- HyperGlide [~HyperGlid@221.237.123.59] has joined #openvpn 04:10 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 04:10 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 04:10 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 04:23 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 04:27 -!- catsup [~d@64.111.123.163] has quit [Read error: Connection reset by peer] 04:27 -!- catsup [~d@64.111.123.163] has joined #openvpn 04:34 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 255 seconds] 04:52 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 255 seconds] 04:55 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Quit: [self sleep]] 04:59 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 05:02 -!- pelle2 [~p@nl102-232-231.student.uu.se] has quit [Quit: Reconnecting] 05:02 -!- pelle2 [~p@178-132-78-93.cust.azirevpn.net] has joined #openvpn 05:12 -!- Guest55454 [~LaStik@62.109.16.198] has quit [Ping timeout: 240 seconds] 05:43 -!- LaStik [~LaStik@62.109.16.198] has joined #openvpn 05:44 -!- LaStik is now known as Guest19661 07:20 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 248 seconds] 07:45 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 07:56 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 08:10 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 08:20 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 08:29 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 08:29 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Client Quit] 08:30 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 08:30 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 248 seconds] 08:41 -!- troyt [~troyt@2001:1938:240:3000::3] has quit [Ping timeout: 252 seconds] 08:42 -!- HyperGlide [~HyperGlid@221.237.123.59] has quit [Remote host closed the connection] 08:46 -!- troyt [~troyt@2001:1938:240:3000::3] has joined #openvpn 08:46 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Ping timeout: 244 seconds] 09:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 09:05 -!- mode/#openvpn [+v s7r] by ChanServ 09:49 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has joined #openvpn 09:53 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has left #openvpn [] 09:56 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has quit [Quit: Leaving] 09:56 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has joined #openvpn 10:13 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 10:22 -!- master_of_master [~master_of@p57B5338D.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 10:23 -!- master_of_master [~master_of@p57B521B9.dip.t-dialin.net] has joined #openvpn 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 10:27 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 10:27 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:31 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has quit [Quit: pie__] 10:32 -!- blackness [black@vdsl001.client.black.blackmajic.org] has quit [Ping timeout: 260 seconds] 10:46 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 11:20 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 11:20 -!- mode/#openvpn [+o krzee] by ChanServ 11:26 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 11:46 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 11:55 -!- JesseWhite [anonymuse@cpe-68-173-27-87.nyc.res.rr.com] has quit [] 12:07 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: Computer has gone to sleep.] 12:22 -!- kyrix_ [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:24 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 276 seconds] 12:24 -!- b1rkh0ff [~b1rkh0ff@178.77.10.139] has quit [Ping timeout: 246 seconds] 12:25 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 12:26 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 12:38 -!- b1rkh0ff [~b1rkh0ff@178.77.6.46] has joined #openvpn 12:40 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 12:43 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has quit [Quit: Leaving.] 12:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 13:01 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn 13:03 -!- s7r1 [~s7r@82.137.15.99] has joined #openvpn 13:04 -!- a_ [~d@64.111.123.163] has joined #openvpn 13:04 -!- Varazir_ [~mircwars@c-94-255-128-179.cust.bredband2.com] has joined #openvpn 13:04 -!- oskie_ [~usel@h-254-83.a218.priv.bahnhof.se] has joined #openvpn 13:04 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 13:04 -!- pelle2_ [~p@178-132-78-93.cust.azirevpn.net] has joined #openvpn 13:04 -!- mjixx_ [~markus@80.67.14.31] has joined #openvpn 13:08 -!- JackWinter1 [~jack@vodsl-4655.vo.lu] has joined #openvpn 13:09 -!- Netsplit *.net <-> *.split quits: kloeri, catsup, oskie, blackness, JackWinter, _quadDamage, +s7r, sitaktif, b1rkh0ff, mjixx, (+2 more, use /NETSPLIT to show all of them) 13:10 -!- kloeri_ is now known as kloeri 13:16 -!- Netsplit over, joins: b1rkh0ff 13:16 -!- blackness [black@2001:470:8cf8::9] has joined #openvpn 13:18 -!- sitaktif [~sitaktif@kollok.org] has joined #openvpn 13:22 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has joined #openvpn 13:23 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 260 seconds] 13:25 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn 13:26 < Tativie> After setting up OpenVPN in Linux I am seeing ICMP make connections (I think it looks like a simple ping) at least every 20 seconds (to the same server that is running the OpenVPN). This occurs along side the normal OpenVPN traffic. Is this normal behavior? I was not seeing this behavior when I enabled OpenVPN through the gnome-desktop GUI. 13:29 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 13:30 -!- nonotza [~nonotza@cpe-66-108-94-161.nyc.res.rr.com] has joined #openvpn 13:33 < wh1p> could just be the clinet or server checking that the connection was still active or that the server was still online :? 13:35 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:38 < kunji> Tativie: There are options for what wh1p suggested in the configuration file, maybe take a look at that and see what yours is supposed to be doing. I would think it's normal because I believe the sample configurations does it, though don't quote me on that it's based on my somewhat erroneous memory. 13:41 -!- sw0rdfish- [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has joined #openvpn 13:42 < Tativie> Okay. thanks for the help. :) 13:42 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has left #openvpn [] 13:57 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 13:59 -!- dado_ [~dado@82-149-122-100.wco.wellcom.at] has joined #openvpn 13:59 < dado_> hi 13:59 -!- con3x [~pkinnaird@kobol.geeksoc.org] has joined #openvpn 13:59 < dado_> i have a somewhat unethical question: 14:00 < con3x> Hello, is it possible to route only traffic going out to certain IP's over openVPN from the client side? 14:01 < con3x> (In the config file on OpenWRT) 14:01 < dado_> i have certs and ovpn config file on an encrypted volume, which needs to be mounted with a passphrase under a gnome user session. everytime the user wants to connect he needs to reimport the config since its not there yet when the session is starting. can i somehow use a static configuration which points to a standard set of files, even if they are not there and have it working as soon as the volume is mounted? 14:04 < con3x> dado_: Could you write a script to restart the openVPN service after the drive has been mounted, maybe even write a script that mounts the drive and then restarts openVPN? 14:04 < con3x> I'm not sure if gnome has the necessary hooks for doing it automaticall 14:04 < con3x> /s/automaticall/automatically 14:07 < dado_> con3x: so restarting the openvpn service should actually reset the "missing" files in the stored session in network-manager? 14:11 < con3x> It should try to reload the whole service again, assuming the files exist when it starts then it should load them (Assuming the files are always in the same place when a drive is mounted). 14:11 < dado_> con3x: that could help. thanks. let my try that 14:11 < con3x> No problem :) 14:13 < dado_> i guess the filenames of the certs and config file dont matter? 14:17 < con3x> As long as they are consistant with the way you are starting openVPN 14:17 < dado_> ok 14:17 < dado_> btw, you are right the files get back loaded correctly after restarting the service 14:17 < con3x> So if you are starting openVPN with the command OpenVPN --config vpn.conf 14:17 < dado_> hmm now i need to find a way to restart the service automatically after the volume gets mounted 14:18 < con3x> What OS are you using? 14:18 < dado_> well actually i use the network-manager openvpn plugin for that 14:18 < dado_> debian 14:19 < dado_> im trying to make a secure thin-client style live cd 14:20 < con3x> Sounds cool :) 14:20 < dado_> yeh, but also a lot of work :) 14:21 < dado_> im almost done tho, just need that last thing for the setup 14:21 < con3x> Do the users of the cd have to mount the drive themselves 14:22 < dado_> unfortunately yes 14:22 < dado_> the perfect situation would be to have it mounted at boot time before X starts 14:22 < dado_> but then it needs to ask an encyryption passphrase, where my skills are not enough to make a script for that 14:23 < dado_> but this way the files would already be where they should be.. 14:26 < con3x> That doesn't sound too hard, have a look at inittab :). 14:26 < con3x> if not a small script that users can click on that looks like: 14:26 < con3x> mount 14:26 < con3x> /etc/init.d/openvpn restart 14:26 < con3x> should do the trick. 14:28 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Ping timeout: 255 seconds] 14:28 < dado_> ill look into that 14:29 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has joined #openvpn 14:30 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has joined #openvpn 14:37 -!- s7r1 [~s7r@82.137.15.99] has quit [Ping timeout: 264 seconds] 14:41 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 14:47 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 14:53 < dado_> con3x: got it working but in a different way 14:54 < dado_> con3x: having the volume now mounted at boot time, asking for the passphrase. so the gnome session starts and the files are already there. yay! 14:54 < con3x> So when the disk boots it asks for the passphrase? :) 14:54 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-12-99.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 14:55 < dado_> con3x: ye 14:55 < dado_> +s 14:55 < dado_> the file /etc/crypttab did the trick, which is kinda OT for this channel 14:56 < con3x> Yeah, cool you've got it working though :) congrats. 14:56 < dado_> con3x: thx man. 14:58 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has joined #openvpn 15:03 < hg_5> hello, i have generated 1 config file for 1 client, how to make another ones without starting over all process? 15:04 < dado_> hg_5: just changing the config file for another user wont do it i guess. the certificate and key needs to be generated 15:05 < hg_5> but if i will start process over certificate will be different than is on server ;o 15:11 < dado_> i assume you are generating the certificates from the server, no? 15:12 < dado_> i use pfsense as openvpn server, with a web interface for generating users and certificates. i dont know how you do it. 15:32 -!- dado_ [~dado@82-149-122-100.wco.wellcom.at] has quit [Read error: Operation timed out] 15:38 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Quit: Leaving.] 15:39 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 15:53 -!- hg_5_ [~chatzilla@ip-84-39-175-133.free.aero2.net.pl] has joined #openvpn 15:54 -!- hg_5 [~chatzilla@unaffiliated/hg-5/x-8664886] has quit [Ping timeout: 276 seconds] 15:54 -!- hg_5__ [~chatzilla@91.234.245.245] has joined #openvpn 15:58 -!- hg_5_ [~chatzilla@ip-84-39-175-133.free.aero2.net.pl] has quit [Ping timeout: 255 seconds] 16:05 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:09 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has joined #openvpn 16:09 < _eMaX_> hi all 16:11 < _eMaX_> anyone can help me with an openvpn issue here? I've a problem connecting to devices behind my openvpn server. When a client connects, it gets an ip of 172.16.11.100. the openvpn server has .2, and it can ping back to the client (.100) as well as to another machine on the network (.1). From that other machine, I can ping the openvpn server, but not the client (.100). vice-versa, from the client I cannot ping .1. I did set ipforward on the openv 16:22 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 260 seconds] 16:29 -!- ScriptFanix [vincent@2001:910:100b::1] has quit [Ping timeout: 245 seconds] 16:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:35 < dioz> routes 16:35 < dioz> but not a openvpn issue 16:37 < _eMaX_> thanks 16:37 < _eMaX_> I'm searching for a whole day now but don't find where to set routes and which 16:38 < dioz> i assume your machines behind your server need to be told 16:38 < dioz> "yo this is how you get here and this is your gateway on this interface" 16:40 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 16:41 < _eMaX_> I basically have —————— 16:41 < _eMaX_> A can ping B, B can ping A, C, D, E; C can ping B and E, but not A; E can ping B, C D but not A 16:42 < _eMaX_> so I assume the vpn server B needs some route 16:43 < dioz> ipv4 packet forwarding? 16:43 < _eMaX_> enabled on B 16:47 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 252 seconds] 16:48 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 16:48 < _eMaX_> also einfacher gesagt, wenn ich 3 rechner habe, A, B, C. A kann B pingen, aber nicht C. C kann B pingen, aber nicht A. B kann beide pingen. wohin muss welche route? 16:49 < _eMaX_> sorry 16:49 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 16:53 < thermoman> emmanuelux: english? 16:55 < thermoman> the --float option is for the case when the remote endpoint is changing his IP address ... is there an correpsonding option for then the client changes its IP? 16:55 < thermoman> e.g. the server has a fixed IP but the client is on a dynamic uplink and the client ip changes ... afaik the client then times out and reconnect 16:56 < thermoman> but is there the possibility that (at least with udp) the client just sends packets from its new address and the server recognizes this without the need for the client to reconnect? 17:07 -!- _eMaX_1 [~eMaX@213.221.150.68] has joined #openvpn 17:07 -!- sw0rdfish- is now known as sw0rdfish 17:07 -!- sw0rdfish [sw0rdfish@bouncing.users.since.2011.panicbnc.org] has quit [Changing host] 17:07 -!- sw0rdfish [sw0rdfish@unaffiliated/sw0rdfish] has joined #openvpn 17:08 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has quit [Ping timeout: 252 seconds] 17:08 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has joined #openvpn 17:11 -!- _eMaX_1 [~eMaX@213.221.150.68] has quit [Ping timeout: 252 seconds] 17:15 -!- brute11k [~brute11k@89.249.230.77] has quit [Quit: Leaving.] 17:17 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 17:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 248 seconds] 17:18 -!- Devastator- [~devas@186.214.14.9] has joined #openvpn 17:18 -!- Devastator- [~devas@186.214.14.9] has quit [Changing host] 17:18 -!- Devastator- [~devas@unaffiliated/devastator] has joined #openvpn 17:18 < anth0ny_> I'm trying to set up a openwrt router to use openvpn to connect to another computer. The openvpn server is working and I can connect to it via tunnelblick on my computer. I'm using the same .ovpn file for openwork as I am for Tunnelblick, but get a "read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=148)" error when I run openvpn --config myvpn.ovpn. Any ideas? 17:19 -!- Devastator- is now known as Devastator 17:26 < anth0ny_> I believe the problem to be with NATing the VPN client traffic to the internet: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE . should eth0 be the driver that has the ip assigned to it when I run ifconfig? 17:31 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has joined #openvpn 17:31 -!- anth0ny__ [~anth0ny@d207-6-122-180.bchsia.telus.net] has joined #openvpn 17:31 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 252 seconds] 17:38 -!- anth0ny__ [~anth0ny@d207-6-122-180.bchsia.telus.net] has quit [Ping timeout: 255 seconds] 17:38 -!- _eMaX_ [~eMaX@67-234.197-178.cust.bluewin.ch] has quit [Quit: Leaving.] 18:04 -!- nonotza [~nonotza@cpe-66-108-94-161.nyc.res.rr.com] has quit [Quit: nonotza] 18:18 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 18:23 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 264 seconds] 18:36 -!- corretico [~luis@190.211.93.38] has joined #openvpn 18:37 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 18:38 -!- corretico [~luis@190.211.93.38] has quit [Client Quit] 18:38 -!- corretico [~luis@190.211.93.38] has joined #openvpn 18:43 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Quit: This computer has gone to sleep] 18:43 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 18:44 -!- HyperGlide [~HyperGlid@182.149.53.195] has joined #openvpn 18:48 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 240 seconds] 18:58 -!- hg_5__ [~chatzilla@91.234.245.245] has quit [Ping timeout: 276 seconds] 19:22 <+dvl> Looking at getting a new switch, moving my home lan to a faster speed. Now running at 100M... 19:23 <+dvl> Hmmm, if one port on a switch runs at 100M, that SHOULD NOT affect any other port? e.g. two boxes with 1000M NICs will use that speed... 19:51 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 19:56 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Quit: Leaving] 19:57 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has joined #openvpn 20:04 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 252 seconds] 20:05 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 20:08 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 20:10 -!- ch1mkey [ch1m@ns203993.ovh.net] has left #openvpn [] 20:22 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 20:26 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 20:52 -!- paccer [uid4847@gateway/web/irccloud.com/x-iggwqzmrrmnhkcai] has joined #openvpn 21:27 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 272 seconds] 21:33 -!- yeshello1here is now known as Winkie 21:33 -!- Winkie [~hi@80.168.239.88] has left #openvpn [] 21:42 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 22:12 -!- brute11k [~brute11k@89.249.230.77] has quit [Quit: Leaving.] 22:14 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 22:22 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 22:23 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 256 seconds] 23:00 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 23:23 -!- anth0ny_ [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 264 seconds] 23:33 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 23:39 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 240 seconds] 23:39 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 23:45 < anth0ny> I'm finishing up the routed VPN setup on an OpenWRT router that I have. Looking at the howto.html page on the OpenVPN site, it says that I should NAT the VPN client traffic to the internet, using this: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, with eth0 being the local ethernet interface. I'm not sure that this is the right choice for my router, would someone mind looking at my ifconfig output and letting me know what th 23:45 < anth0ny> ey think is the right choice: http://pastie.org/private/fitmdhshv6zyzxct8p5w ? 23:47 < anth0ny> Not sure if I should use br0, vlan1, or eth0 23:55 < anth0ny> !goal 23:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 23:59 < ngharo> you want the internet-facing interface --- Day changed Mon Jan 14 2013 00:02 < anth0ny> ngharo, is there a way to test what that is, exactly? 00:02 < anth0ny> there are two eth's and two vlans 00:03 < anth0ny> bra and vlan1 are the only ones with inet addr's 00:03 < ngharo> i'm assuming the vlan with the IP 00:04 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Read error: Connection reset by peer] 00:05 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has joined #openvpn 00:09 -!- anth0ny [~anth0ny@unaffiliated/anth0ny] has quit [Ping timeout: 240 seconds] 00:14 <+pekster> He wants eth0.1 in a standard OpenWRT setup (in case he comes back and I'm not around to notice it) 00:15 <+pekster> And yea, 'ip addr show' would identify it :P 01:18 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 01:34 -!- hydroxyhydride [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has joined #openvpn 01:34 -!- bumblebee [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has joined #openvpn 01:46 -!- bumblebee [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds] 01:47 -!- hydroxyhydride [~bumblebee@c-76-104-129-87.hsd1.wa.comcast.net] has quit [Ping timeout: 276 seconds] 02:00 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:27 -!- brute11k [~brute11k@89.249.230.77] has joined #openvpn 02:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer] 02:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 02:51 -!- mode/#openvpn [+o vpnHelper] by ChanServ 03:02 -!- thinkHell [~Hell@ks399220.kimsufi.com] has joined #openvpn 03:16 -!- defswork [~andy@141.0.50.105] has joined #openvpn 03:31 -!- dazo_afk is now known as dazo 03:55 -!- syzzer [~steffan@50709F7C.static.ziggozakelijk.nl] has joined #openvpn 03:58 -!- Z_Analyzer [~lipalm@173-164-219-57-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving] 04:02 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 04:03 < holmen> Hi, anyone here up for teaching me how to work out my two NIC tunneling problem? 04:04 <+pekster> holmen: You tend to get better results in a channel full of community volunteer support if you just ask your question ;) 04:04 <+pekster> !ask 04:04 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 04:07 < holmen> I have a setup of two physical NIC's in my Ubuntu 12.04 server. NIC #1 is connected to a router that gets EXT IP #1. NIC #2 is i directly connected to the internet and gets EXT IP #2. Now when seting up a openvpn CLIENT with the option "local " the tunnel activates on NIC #1. I have made the corretct routings for NIC #2 and its able to both send and recieve traffic. 04:11 < holmen> To add to this, i am not the server admin of the server im trying to connect to so i cant change settings on the server side. 04:21 <+pekster> holmen: Sorry for the delay, I'm not able to give 100% time to IRC. So you're connecting from an external client to the public IP that doesn't contain the default route on the server? 04:23 -!- Assid [~assid@198.24.140.58] has joined #openvpn 04:23 -!- Assid [~assid@198.24.140.58] has quit [Changing host] 04:23 -!- Assid [~assid@unaffiliated/assid] has joined #openvpn 04:23 < Assid> heya 04:24 < Assid> so i have a openvpn connection which seems to timeout or something.. and it doesnt seem to reconnect on its own.. which results in connectivity issues since im using redirect-gateway 04:25 <+pekster> Assid: the --ping and --ping-restart options (also see the --keepalive helper that abstracts both) will auto-reconnect after contact with the peer is lost 04:27 <+pekster> Note that you need --ping (or --keepalive, which on the server does a push for both options) on *both* ends of the connection (it's okay of course for the server to push this if clients pull it.) The ping is not bi-directional, so the opposing peer needs a --ping for the local peer to mamke use of --ping-restart or --ping-exit options 04:29 < Assid> what if the sevrer doesnt do keepalive or ping 04:30 <+pekster> Then you can't use that option, and there's no way to know if your connection to the peer was severed internal to OpenVPN 04:30 <+pekster> You could write a creative script to do a standard ping to the peer IP and take restart action if it doesn't respond after so many attempts 04:30 <+pekster> But that's kind of ugly and exactly what the --ping/--ping-restart options are designed to handle 04:30 < Assid> yeha i thought the internal ping does ? 04:31 < Assid> exactly what i meant 04:31 <+pekster> OpenVPN's ping is not an ICMP echo-request (commonly called a "ping" packet in casual network speech) 04:31 <+pekster> It's sent within the OpenVPN control channel 04:32 <+pekster> !keepalive 04:32 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive 04:33 -!- Assid|2 [~assid@85.159.236.219] has joined #openvpn 04:33 < Assid|2> ok 04:34 -!- Assid [~assid@unaffiliated/assid] has quit [Disconnected by services] 04:34 -!- Assid|2 is now known as Assid 04:34 -!- Assid [~assid@85.159.236.219] has quit [Changing host] 04:34 -!- Assid [~assid@unaffiliated/assid] has joined #openvpn 04:34 < Assid> hmm 04:34 < holmen> pekster: I'm connecting to a external service, yes. And i want openvpn to tunnel the NIC#2 to that service bu when enabeling the tunnel it goes for the NIC#1 by default. I have added my query on the stack exchange network with full setting files etc. If you want to take a look: http://unix.stackexchange.com/questions/60955/openvpn-struggling 04:34 <@vpnHelper> Title: ubuntu - OpenVPN struggling - Unix and Linux (at unix.stackexchange.com) 04:34 < Assid> ok i think it should work with keepalive 04:34 < Assid> else will figure something else 04:34 < Assid> btw. anyone here using privateinternetacess ? 04:35 < Assid> im thinking its prone to MITM since they dont use nsCertType=server 04:36 <+pekster> holmen: What do you mean "it goes for the NIC#1 by default?" If the client connects to another interface on the server that has a unique public IP, the server needs to be configured on a network level (outside OpenVPN) to correctly multi-home or it simply won't work 04:37 <+pekster> Assid: I'd need to see a full client config file, but that's possible; it's very easy to implement security software incorrectly 04:38 <+pekster> If their certs are set up properly, you could likely add that option in yourself on the client side 04:38 <+pekster> Some places use the KU/EKU fields instead, or a different solution to the problem of clients posing as a valid server 04:39 < holmen> pekster: Ok, the reasong im doing this is that i only want i specific program to tunnel its traffic through openvpn, to a anonymizer service. And since they are the ones hosting the server, should i ask them for advice? 04:39 < holmen> i =1 04:41 <+pekster> holmen: Oh, is your client the one that's multi-homed? 04:41 < holmen> Yes, if you by that mean that its hte one with two NIC's 04:44 <+pekster> Ah, okay. The issue is your routing table. 'ip route show' will identify your default gateway out eth0, I'd expect 04:45 <+pekster> To multi-home like that, you need to define routing rules to identify traffic that needs to be routed to a gateway on eth1, which generally requires a separate routing table and 'ip rule add ...' rules to identify which traffic to send to that lookup table 04:45 < holmen> i have already added that information to the routing tables 04:46 <+pekster> 'ip route show table all' has your extra tables? and 'ip rule show' has rules to split traffic between them? 04:47 <+pekster> holmen: You should use -I $pub_ip_of_eth1 instead on your ping 04:47 <+pekster> Make sure that works first 04:48 <+pekster> If not, you have broken multi-homing 04:48 <+pekster> If you need it, here's LARTC's howto on advanced routing: http://lartc.org/howto/ 04:48 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 04:49 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has joined #openvpn 04:49 < holmen> Thank you! I'll check this and get back to you. 04:50 <+pekster> For example, I have a server inside my network with 2 IPs; if I tcpdump the interface, I can watch it use different sources (eg: 'tcpdump -pni eth2 icmp') when I do 'ping -I 10.0.0.20 kernel.org' verses 'ping -I 10.0.0.21 kernel.org'. Make sure it works as expected on your setup (ofc, change tcpdump interfaces for your test since it goes across 2 different adapters) 04:50 -!- IT [~userit@86.120.191.55] has quit [Quit: Nettalk6 - www.ntalk.de] 04:54 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 04:55 -!- Assid|2 [~assid@122.170.9.45] has joined #openvpn 04:56 < holmen> I've tried that now and the icmp-packets are sent as it should. The ping goes from ETH#2 to ETH#2. 04:56 -!- Assid [~assid@unaffiliated/assid] has quit [Ping timeout: 246 seconds] 04:58 <+pekster> holmen: Okay. The other thing I see now that I double-check the netstat output post-VPN-connect is that the host-route to the VPN endpoint is automatically set to use your existing default gateway, which is via eth0 04:59 <+pekster> holmen: What you probably need to do is use the 'local' flag to the redirect-gateway directive, and handle the host-route yourself via a --route-up script 04:59 <+pekster> That's necessary because you specifically DON'T want the VPN endpoint to be reachable via eth0's IP/interface 05:00 <+pekster> You probably need to use the env-vars the scripts mamke available to you in order to dynamically determine your remote peer's public IP 05:00 <+pekster> (since you have multiple remote lines) 05:01 <+pekster> 'ip route add $whatever_that_var_is/32 via $pub_ip_of_eth2' 05:01 < holmen> Ok, now comes the noob question. Where can i find the necessary manuals on this? I dont want to hammer you with all my questions :) 05:01 <+pekster> The manpage? 05:01 <+pekster> !man 05:01 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 05:01 <+pekster> On Linux, you should have 'man openvpn' available 05:01 < Assid|2> setting up another box now 05:02 <+pekster> Yea, I missed that route at the beginning of your output. FYI, 'ip route' is a much cleaner way to show routes; netstat or route are kind of outdated tools :P 05:02 < holmen> Thanks in advance, i'll read up on this and probably get back in the morning. Thank you for all the help 05:04 <+pekster> Yea, np. It's a subtle problem with the way --redirect-gateway expects your network to be 05:04 <+pekster> The only bad news is that you mostly need to fix it yourself :P 05:05 <+pekster> On the plus side, it should be a one-line fix in --route-up and --down (since you probably want to remove the route on disconnect) 05:06 <+pekster> 'man ip' and 'ip route help' are also good places to look for info using the ip command 05:06 <+pekster> btw, you win my 'most interesting problem of the month' award that I just made up 05:09 < holmen> haha thank you :) 05:09 <+pekster> I enjoy subtle problems like that; it keeps me on my guard from assuming too much for my own good 05:09 < holmen> THe down side is that im quite the noob on openvpn and probably will fail on this but trail and error is key :) 05:11 <+pekster> Well, the only ovpn-changes I think you need are using the 'local' flag to --redirect-gateway, and 2 scripts at --route-up and --down. The route-up script needs to add the route as I explained above to your VPN endpoint (there's a variable for that, see the 'SCRIPTING AND ENVIORNMENTAL VARIABLES' manpage section) while the down script needs to remove it on VPN disconnect 05:11 <+pekster> So, 3 changes to the ovpn config, and 2 scripts that you can probably do with a single line of code 05:12 <+pekster> holmen: I think the var you want is $trusted_ip 05:12 <+pekster> FYI 05:12 <+pekster> (available in both --route-up and --down) 05:13 <+pekster> Try something along the lines of '/sbin/ip route add $trusted_ip/32 via $YOUR_ETH1_IP_HERE' 05:14 <+pekster> In the upscript, and the reverse (ip route del ...) in --down 05:21 -!- Assid|2 [~assid@122.170.9.45] has quit [Read error: Connection reset by peer] 05:21 -!- daemon [staff@hashweb.org] has quit [Read error: Connection reset by peer] 05:21 -!- daemon [staff@hashweb.org] has joined #openvpn 05:21 -!- nullsign [~nullsign@daedalus.genom.com] has quit [Read error: Operation timed out] 05:21 -!- daemon is now known as Guest47187 05:21 -!- batrick [~batrick@nmap/developer/batrick] has quit [Read error: Operation timed out] 05:21 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 05:22 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 05:22 -!- nullsign [~nullsign@daedalus.genom.com] has joined #openvpn 05:24 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn 05:30 -!- Carbon_Monoxide [~cmonxide@116.92.14.130] has quit [Ping timeout: 276 seconds] 05:40 < holmen> pekster: one quick question. How should i use the --redirect-gateway. You mention that i should use the "local" flag. So "--redirect-gateway local" or "--redirect-gateway " ? 05:40 <+pekster> Yea, 'local' is a literal flag. You're already using the 'def1' flag (notice your 2 /1 route overrides on your default gateway) 05:40 <+pekster> Manpage has details on the usage of each flag 05:43 < holmen> gonna change ssh connection and try it out. 05:43 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Quit: leaving] 05:45 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 05:56 < holmen> pekster: hmm, 1 error when trying to execute the up script manually 05:56 < holmen> holmen@filserver:~$ sh openvpn/up 05:56 < holmen> Error: an inet prefix is expected rather than "/32". 06:01 < holmen> entry in "up": /sbin/ip route add $trusted_ip/32 via 5.150.223.121 06:01 < holmen> and file set to be executable 06:07 < holmen> While starting the tunnel i get this log message: 06:07 < holmen> Mon Jan 14 13:06:08 2013 ROUTE default_gateway=192.168.1.1 06:07 < holmen> thing that is my problem? 06:12 < holmen> while tunnel active: 06:12 < holmen> holmen@filserver:~$ ip route show 06:12 < holmen> 0.0.0.0/1 via 46.246.23.129 dev tap0 06:12 < holmen> default via 192.168.1.1 dev eth0 metric 100 06:12 < holmen> x.x.x.x/17 dev eth1 proto kernel scope link src x.x.x.x 06:12 < holmen> 46.246.23.128/25 dev tap0 proto kernel scope link src 46.246.23.180 06:12 < holmen> 80.67.8.203 via x.x.x.x dev eth1 06:12 < holmen> 80.67.8.211 via x.x.x.x dev eth1 06:12 < holmen> 128.0.0.0/1 via 46.246.23.129 dev tap0 06:12 < holmen> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 06:13 < holmen> Mon Jan 14 13:12:32 2013 WARNING: Failed running command (--up/--down): could not execute external program 06:15 < holmen> I fixed the up/down scripts by removing the "/32" but it still wont execute it whilst starting openvpn 06:17 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:18 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 06:25 -!- Guest47187 [staff@hashweb.org] has left #openvpn [] 06:30 -!- thinkHell [~Hell@ks399220.kimsufi.com] has quit [Quit: ["pop()"]] 06:30 < holmen> pekster: I see now what may be my problem, in "ip route show all" the eth1 routing is as following: 06:31 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 240 seconds] 06:31 < holmen> x.x.128.0/17 dev eth1 proto kernel scope link src x.x.223.x 06:31 < holmen> notice the changes in subnet.. 06:32 < holmen> then my extra roiuting table "openvpn" looks like this: 06:33 < holmen> holmen@filserver:~$ ip route show table openvpn 06:33 < holmen> default via x.x.223.x dev eth1 06:33 < holmen> x.x.223.x dev eth1 scope link src x.x.223.x 06:34 < holmen> but the odd thing is that i can connect to the internet via eth1 on the 223 subnet. :S 06:44 <+pekster> holmen: The redirect-gateway OpenVPN directive will only operate on your main table, IIRC 06:44 <+pekster> With policy routing you'll likely need to handle adjustments to other tables via the --route-up and --down scripts, or use --route-noexec (see the manpage for details) and then you are expected to manage all route changes that are passed to you as env-vars instead of having OpenVPN automatically manage them 06:46 < holmen> holy crap. I think this issue just got past my skill level :/ 06:48 <+pekster> Policy routing and split-route setups are complex enough with just the 2 interfaces, but now you're trying to stack redirection of both across a VPN link too ;) 06:50 < holmen> Hmm i dont know if i misenterpret you know but i only want one interface to go into the tunnel . 06:50 <+pekster> Oh, in that case then the changes I noted earlier to keep the VPN-host-exception routed via NIC#2's public IP should do the trick 06:51 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 06:51 <+pekster> You don't need to worry about your 2nd table controlling the NIC#2 traffic beyond adding a host-route (the /32 thing) out via NIC#2's public IP 06:51 < holmen> Ok but when setting up the tunnel i get the log message of Defaulkt gateway being the NIC#1 gateway 06:52 <+pekster> RIght, but if you use the 'local' option, then you can override the implied error resutling from that setup 06:52 <+pekster> See, without the 'local' flag, OpenVPN will add a route to your external IP of the VPN server so it is *not* routed across the VPN (you need this because you can't route your encrypted VPN packets over the VPN: see the problem with that?) 06:53 <+pekster> So, once you understand why that needs to be added, you can pass the 'local' flag to not do that automatically (which uses your exsiting default gateway on NIC#1) and instead manage that same feature yourself by sending traffic to the VPN host out NIC#2 06:53 <+pekster> Hence the 'ip route add $trusted_ip/32 via $public_ip_on_nic2' line 06:54 <+pekster> You need that on the routing table responsible for traffic generated by NIC#2 where your openvpn instance is running 06:54 <+pekster> After that, the magic of --redirect-gateway will override your default route on NIC#1 by adding the 2 routes with the /1 mask (128.0.0.0) that define the entire Internet. This sends them via your VPN peer IP over the tun device 06:56 <+pekster> So, with the --route-up and --down script, I think you'll be set, but only if the gateway you wish to override is on your main routing tnable (not a sub-table you're sending stuff to with a custom 'ip rule' setup.) Is that the case, or is your configuration more complex? 06:56 < holmen> Ok. Its a lot to take in but i get the jist of it i think. Can io PM you my setup files and program execution lines for further knowledge? 06:57 <+pekster> Sure, although I'll try to keep discsussion here if you don't mind (if you don't want your private configs posted here feel free to PM them) but others might benefit from the overall discussion, or even see something I miss 06:57 < holmen> Ofc 06:58 <+pekster> At the very least, I can see what you have now to make sure I get what you have and what's configured; it'd be helpful in addition to client ovpn config files to get the scripts, plus the output of 'ip route show table all' 06:58 <+pekster> 'ip addr show' would be useful too so I know what I'm actually looking at :P 06:59 <+pekster> I'll be around, so if I don't respond right away I'm probably just in another window for a bit 07:09 -!- brute11k [~brute11k@89.249.230.77] has quit [Ping timeout: 272 seconds] 07:17 -!- bjh4 [~bjh4@ool-4357696f.dyn.optonline.net] has quit [Ping timeout: 272 seconds] 07:19 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 272 seconds] 07:23 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 07:46 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 07:46 < AsadH> novaflash ! 07:46 < novaflash> mm? 07:46 < AsadH> I found you 07:46 < AsadH> That's all 07:47 < novaflash> mm. 07:47 -!- centurio [~opera@anon-185-82.vpn.ipredator.se] has joined #openvpn 07:47 < centurio> hello 07:48 < centurio> May I ask for help about iptables? 07:48 <+pekster> centurio: As it relates to OpenVPN, go for it; depending on your question it's possible #netfilter may be a better place to ask, but you're welcome to try here first 07:51 < centurio> thanks 07:51 < centurio> I'm running openvpn client on a dd-wrt router 07:52 < centurio> I have modified the iptables contrary of what my vpn provider told me 07:53 < centurio> the problem was that the dns requests were not passed through the clients on my network 07:53 < centurio> only my isp dns servers, which don't work once the tunnel is up 07:54 < centurio> dnsmasq is set tu use public servers 07:54 < centurio> http://www.pastebay.com/1174089 07:54 < centurio> I pasted my previous config and my new config 07:54 < centurio> the new config works, I do not have to set static dns on every client of my network 07:55 < centurio> but I'm not sure the new config is secure 07:55 < centurio> I use it together with --up 07:55 <+pekster> You can remove line 20 as it's worthless 07:56 < centurio> ok 07:57 <+pekster> Otherwise sure; the only forwarded traffic from tun0 to br0 will be stuff bound for your private clients, otherwise it'll end up on INPUT. You should really only accept --state RELATED,ESTABLISHED traffic there instead 07:57 <+pekster> Then you don't need to switch rulesets when you start/stop the VPN 07:57 <+pekster> Just use the 2nd one and you'll be set 07:59 <+pekster> No idea why you're using -I all over the place either; if you call those scripts over and over you'll just keep inserting more and more rules into your kernel; you should really use iptables-restore for that, and pass it a file you create with iptables-save (unless you really need rules to be dynamically managed) 08:01 < centurio> I was advised to do so 08:01 < centurio> alternatively, I can create a down script removing all the rules 08:02 < centurio> should I replace -I by -A? 08:03 <+pekster> I don't really have a clue how your setup is. If that's your only VPN (and will thus always been tun0) you can just leave your ruleset in place persistently and not worry about overriding the existing chains when the VPN comes up 08:04 < centurio> yes, it's my only vpn 08:04 <+pekster> With OpenWRT you should be hooking into the existing chains (they have special user chains for stuff like this you're supposed to be using.) I don't know what they are offhand because my OpenWRT setup has a firewall I wrote from scratch, so it's nothing like a standard setup 08:04 <+pekster> They have something named 'user_forward' and 'user_input' or something to that effect 08:05 <+pekster> (personally, I think the OpenWRT default is really messy and ugly and hard to follow, but it's all magically supported by LuCI, so it stays that way) 08:05 < centurio> lot's of people advised me to go OpenWRT 08:05 <+pekster> If you can post your OpenWRT ruleset via 'iptables-save' to a pastebin site (after a reboot or something would be good so all your rule inserts don't pollute the output) I might be able to suggest a solution 08:06 <+pekster> centurio: Yes, the distro is fine. Managing custom iptables rules with a VPN is non-trivial to set up, however. I can likely give you a suggestion if I get a defult ruleset that you can add to /etc/firewall.user 08:06 <+pekster> The OpenWRT firewall is "not simple" 08:09 < centurio> hmm I can't get iptables to show me the current rules 08:11 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 08:12 <+pekster> Don't use iptables; it's a bad way to dump rules 08:12 <+pekster> 'iptables-save' is what you should be using 08:13 < centurio> iptables-save :not found 08:16 < centurio> looks like I can't do this on dd-wrt 08:18 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 08:18 < centurio> so I uploaded a new version 08:18 < centurio> http://www.pastebay.com/1174104 08:20 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 272 seconds] 08:21 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Quit: Nettalk6 - www.ntalk.de] 08:22 <+pekster> centurio: Well, you can pastebin 'iptables -nvL' and 'iptables -t nat -nvL' and 'iptables -t mangle -nvL' as wel 08:23 <+pekster> Stupid dd-wrt devs not making that a default feature 08:26 < centurio> iptables -nvL: http://www.pastebay.com/1174110 08:27 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 08:28 < centurio> 'iptables -t nat -nvL: http://www.pastebay.com/1174111 08:29 <+pekster> centurio: Okay, as the #dd-wrt folks how to add these rules to your firewall on-boot: https://pastee.org/5cbwp 08:29 < centurio> iptables -t mangle -nvL: http://www.pastebay.com/1174112 08:30 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has joined #openvpn 08:30 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has quit [Changing host] 08:30 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:30 <+pekster> You'll the need to figure out how to route them via that link 08:30 <+pekster> No clue if you're already using a 'redirect-gateway' setup, but if not you'll need to write some routing rules to do that in addition to the firewall config 08:32 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 08:37 < centurio> ok 08:37 < centurio> thanks for the help 08:37 <+pekster> Yup. All that -I crap kept inserting new rules in your firewall, so you probably want to reboot if you don't know how to reload your firewall to its proper setup 08:38 < centurio> these rules you pasted are in addition of what I also pasted here: http://www.pastebay.com/1174104 08:38 <+pekster> No 08:38 <+pekster> In place of that 08:38 < centurio> cool 08:38 < centurio> much more neat 08:38 <+pekster> Don't run stuff like that each time you connect to the VPN; it's really bad for your ruleset 08:39 <+pekster> Dynamic managing of your ruleset on-event like requires advanced scripting and knowledge of the netfilter (aka "iptables") sytem 08:39 < centurio> that is out of my league 08:39 <+pekster> So: don't do it! (unless you really know what you're doing.) Whoever gave you that script had no clue what they were doing 08:39 < centurio> nice 08:40 <+pekster> Just use the crap I gave you for your firewall; as the dd-wrt folks how to apply it when your ruleset starts up 08:40 <+pekster> That's not routing mind you, just thte firewall to permit access how you need 08:41 < centurio> ok 08:41 < centurio> thanks for the advice 08:41 < centurio> I'll let you know how it turns out 08:48 -!- centurio [~opera@anon-185-82.vpn.ipredator.se] has quit [Ping timeout: 256 seconds] 08:59 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:02 -!- Orbital [~opera@anon-184-93.vpn.ipredator.se] has joined #openvpn 09:03 -!- Orbital is now known as Guest97591 09:05 -!- Guest97591 [~opera@anon-184-93.vpn.ipredator.se] has left #openvpn [] 09:06 -!- Guest97591 [~opera@anon-184-93.vpn.ipredator.se] has joined #openvpn 09:15 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Quit: Ex-Chat] 09:21 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 09:21 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 09:22 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has joined #openvpn 09:22 -!- ade_b [~Ade@109.58.51.110.bredband.tre.se] has quit [Changing host] 09:22 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:25 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 09:33 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:37 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 264 seconds] 09:40 -!- Guest97591 [~opera@anon-184-93.vpn.ipredator.se] has quit [Ping timeout: 252 seconds] 09:41 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:44 -!- Azrael808 [~peter@212.161.9.162] has quit [Client Quit] 09:45 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 10:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds] 10:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:11 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds] 10:11 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 272 seconds] 10:11 -!- Alanonzander [~azander@209.124.51.200] has joined #openvpn 10:12 < Alanonzander> !welcome 10:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 10:12 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:12 < Alanonzander> !redirect 10:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:12 <@vpnHelper> http://ircpimps.org/redirect.png 10:13 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 10:17 < Alanonzander> I need assistance getting an internal OpenVPN client to send _some_ of it's output via the openVPN server. What I need is some examples to help me understand what I need to do. I have looked at the redirect from the bot, and it only helps to confuse me. 10:17 -!- Orbi [~opera@anon-149-38.vpn.ipredator.se] has joined #openvpn 10:17 <@ecrist> !goal 10:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:17 <@ecrist> we need more specific information of what you mean by _some_ 10:18 < Orbi> @pekster 10:18 < Alanonzander> I need to proxy a SFTP and a Soap/WSDL connection through the VPN. 10:18 < Alanonzander> both are outgoing from the client. 10:18 <@ecrist> are those connections made to a specific IP? 10:18 < Alanonzander> yes 10:18 <@ecrist> is that IP on the VPN, or somewhere else? 10:19 < Alanonzander> elsewhere 10:19 <@ecrist> so, you need to first setup a VPN (don't worry about sending traffic to/from anywhere yet) 10:19 <@ecrist> start there, let me know when that's done 10:19 < Alanonzander> I ahve done that 10:20 <@ecrist> !configs 10:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 10:20 < Alanonzander> The VPN works for client-to-client connections now. 10:21 <@ecrist> ok, so you need to add that special IP to your server config in a push "route..." line 10:21 <@ecrist> and configure the vpn server to nat traffic going out to that IP properly 10:22 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 252 seconds] 10:22 -!- master_of_master [~master_of@p57B521B9.dip.t-dialin.net] has quit [Ping timeout: 256 seconds] 10:22 < Alanonzander> Examples? 10:22 <@ecrist> !man 10:22 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 10:23 <+pekster> Orbi: you asked about redirection: see this for info: 10:23 <+pekster> !redirect 10:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:23 <@vpnHelper> http://ircpimps.org/redirect.png 10:24 -!- master_of_master [~master_of@p57B54C0D.dip.t-dialin.net] has joined #openvpn 10:24 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has joined #openvpn 10:25 < Alanonzander> ecrist, everything you have pointed me to only serves to confuse me more. 10:26 < Alanonzander> please assume I know NOTHING about networking 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 10:29 -!- Porkepix [~Porkepix@88-190-200-7.rev.dedibox.fr] has quit [Ping timeout: 252 seconds] 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:35 <@ecrist> Alanonzander: we're not here to teach you networking 10:35 <@ecrist> !101 10:35 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 10:36 -!- AsadH is now known as zz_AsadH 10:36 < |Mike|> nice one 10:37 < Alanonzander> Not asking for that, asking for EXAMPLES. So much for this being a place to get help. 10:37 -!- Alanonzander [~azander@209.124.51.200] has quit [Quit: Leaving] 10:37 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 10:37 -!- mode/#openvpn [+b *!*@209.124.51.200] by ecrist 10:38 < Rienzilla> lol 10:39 < gladiatr> oo... shiny 10:41 < Orbi> !def1 10:41 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 10:41 <+pekster> Orbi: Ask questions in the channel, since I'm not your personal paid support 10:42 <+pekster> That said, the client can add 'redirect-gateway' values to its own config; the client LAN won't be visible to the server or any networks behind it, so you'd need NAT to support local systems behind a VPN peer acting as a client 10:43 < Orbi> !ipforward 10:43 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 10:43 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 10:43 < Orbi> !linipforward 10:43 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 10:43 <@ecrist> !factoids 10:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 10:46 <+pekster> Orbi: Really? Come on, no more PMs for conversation that obviously belongs in the channel. Last warning before I stop caring about your questions completely. Did you read the flowchart you were linked via the !redirect bot message? That's all stuff you do client side, not server-side 10:47 <+pekster> You can push it from the server, but you're not required to. See the 2nd flowchart box specifically 10:49 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:49 < Orbi> @pekster got it 10:49 < Orbi> !man 10:49 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! 10:50 < Orbi> !nat 10:50 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 10:50 < Orbi> !linnat 10:50 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 10:50 <+pekster> All the flowcharts the bot has were written in such a way that they cover each step you need to take, in order, to accomplish your task 10:51 <+pekster> You probably have your NAT worked out with the -j MASQUERADE for traffic goign out your tun interface in your netfilter/iptables rules. But you shouldn't worry about that if you're trying to redirect the gateway, since you need *that* working before you can worry about NAT. Just follow the flowchart, and don't skip steps 10:52 -!- dazo is now known as dazo_afk 10:53 -!- b1rkh0ff [~b1rkh0ff@178.77.6.46] has quit [Read error: Connection reset by peer] 10:56 -!- Orbi [~opera@anon-149-38.vpn.ipredator.se] has quit [Ping timeout: 256 seconds] 10:57 -!- Orbi [~opera@56.52-65-87.adsl-dyn.isp.belgacom.be] has joined #openvpn 11:02 -!- Orbi [~opera@56.52-65-87.adsl-dyn.isp.belgacom.be] has quit [Ping timeout: 272 seconds] 11:03 -!- Orbi [~opera@anon-184-31.vpn.ipredator.se] has joined #openvpn 11:03 -!- raidz_away is now known as raidz 11:04 < Orbi> I enabled redirect-gateway def1 11:04 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 252 seconds] 11:04 -!- pelle2_ is now known as pelle2 11:04 < Orbi> I went through all the steps 11:05 < Orbi> !ipforward 11:05 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 11:05 < Orbi> !linipforward 11:05 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:08 < Orbi> probably a dumb question, but just to be sure: I followed the flowchart all the way to "It Works!" 11:08 < Orbi> does that mean that IP forward is enabled? 11:09 <+pekster> Yes; routers don't work unless they are forwarding IP packets 11:09 < Orbi> so I don't need this rule: iptables -I FORWARD -i tun+ -j ACCEPT 11:10 <+pekster> Maybe not; the preferred way to accept traffic from potentially unkonwn sources is to use stateful firewall rules 11:11 <+pekster> -i $some_external_facing_interface --state ESTABLISHED,RELATED -j ACCEPT 11:11 <+pekster> or such 11:11 < Orbi> Everything works without that rule, so better to leave it so 11:11 <+pekster> You might benefit from some basic tcp/ip reading: 11:11 <+pekster> !tcpip 11:11 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 11:12 < Orbi> yes, I certainly could 11:12 <+pekster> Higher level features like VPN operation is going to be very hard if you don't have a good handle on the basics 11:12 < Orbi> thanks for the tip and your helpful support. I'm going to read that. 11:15 < Orbi> is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf still active? 11:16 < Orbi> nevermind, opera does not want to open it. 11:17 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 11:26 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 11:29 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 11:32 < Orbi> I'm confused, should I use: iptables -t filter -A lan2wan -i br0 -o tun0 -j ACCEPT or 11:32 < Orbi> iptables filter -A lan2wan -i br0 -o tun0 -j ACCEPT ? 11:34 <+pekster> -t filter, or leave it off because filter is the default table 11:34 <+pekster> See the iptables manpage for usage details 11:35 < Orbi> yes, I was reading that, that's why I was asking :) 11:40 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:40 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:40 -!- Orbi [~opera@anon-184-31.vpn.ipredator.se] has quit [Ping timeout: 264 seconds] 11:41 -!- Orbi [~opera@anon-149-224.vpn.ipredator.se] has joined #openvpn 11:45 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 11:46 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 11:46 -!- Orbi [~opera@anon-149-224.vpn.ipredator.se] has quit [Ping timeout: 252 seconds] 11:47 -!- Lord-M [~LordM@ip-80-113-202-148.ip.prioritytelecom.net] has joined #openvpn 11:47 < Lord-M> Anybody around who can help me with an issue I'm having after upgrading from OpenVPN 2.2.2 to 2.3.0 (on Windows)? 11:48 -!- Orbi [~opera@109.129.27.94] has joined #openvpn 11:50 <+pekster> Lord-M: What specifically are you having problems with after the upgrade? Is everything else (config files, any scripts, ccd setup, etc all the same too?) 11:50 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 11:51 < Lord-M> TAP adapter is not getting a default gateway anymore (connection works just fine, configuration files unchanged) 11:52 <+pekster> Can you try deleting all tap adapters and creating a new one? The 'delalltap.bat' script is no longer installed by default, but just re-install the 'tap-windows.exe' program from your \bin\ directory and you'll get it back 11:52 -!- zz_AsadH is now known as AsadH 11:52 < Lord-M> I'll give it a try 11:52 <+pekster> It'll be under a separate programs directory called 'TAP-Win32' (or a similar name, but it begins with TAP) 11:55 -!- AsadH is now known as zz_AsadH 11:57 < Lord-M> removed and reinstalled, doesn't appear to make a difference... 11:57 < Lord-M> did anything change with respect to the handling of the default gateway in a bridged setup? 11:58 <+pekster> What's delivering the gateway? OpenVPN, or an actual DHCP server at the remote end attached to the bridge? 11:58 < Lord-M> DHCP server at the other end 11:58 < Lord-M> I see a lot of "Mon Jan 14 18:57:48 2013 Extracted DHCP router address: 192.168.xx.x" in the log 11:59 < Lord-M> but it doesn't appear to get picked up on the client side 12:01 <+pekster> I'm not aware that anything changed, although I'm not sure what OpenVPN would be caring about the dhcp traffic since my understanding was that was left to the tap driver in a bridged setup like that 12:03 <+pekster> Lord-M: Try adding a --route-delay option perhaps? 12:03 < Lord-M> Tried that, that's actually where the fun starts... ;) 12:03 <+pekster> :\ 12:03 < Lord-M> :P 12:04 < Lord-M> I've been trying to get it to set "route 0.0.0.0 0.0.0.0" with the default gateway set through DHCP using "route-gateway" 12:04 < Lord-M> using a route-delay of 10 seconds to ensure it's available 12:04 < Lord-M> when I try that, OpenVPN seems to ignore the delay... 12:05 < Lord-M> when I manually do ""route 0.0.0.0 0.0.0.0 192.168.x.x" everything works just fine 12:05 <+pekster> I've generally found the 'tap-delay' parameter to give better results under most Windows platforms 12:05 < Lord-M> ah k, I'll give that one a try 12:05 <+pekster> My "usual" make Windows suck-less options tend to be: --ip-win32 dynamic --route-method exe --tap-sleep 5 12:05 <+pekster> Sometimes I'll use the value of 10 instead 12:05 <+pekster> Sometimes I mix it up, but for some reason I keep coming back to that magic set of options 12:06 <+pekster> Take it with a grain of salt, since I don't do much with tap (now and then, but not often) 12:08 <+pekster> Oh, I guess --ip-win32 is worthless for you (that's only interesting if using ifconfig to se the IP, otherwise it won't help) 12:08 < Lord-M> nope, sadly doesn't make a difference... The "route 0.0.0.0 0.0.0.0" statement gets executed before delay (both route-delay, or tap-sleep) 12:08 < Lord-M> when I change the statement in "route 0.0.0.0 0.0.0.0 192.168.x.x" it takes the delay into account :| 12:09 <+pekster> The only other interesting Windows-specific option that might do some good would be --dhcp-renew to get it to "re-renew" in case something got messed up the first time it did a DHCP DISCOVER call 12:10 < Lord-M> tried that, also doesn't work (did work with 2.2.2 though) 12:10 <+pekster> I'm not really feeling great about that fixing things (the docs seem to suggest it's not useful when you already get a normal discovery process) 12:10 <+pekster> Ugh 12:10 < Lord-M> what does solve the problem is "redirect-gateway" 12:11 < Lord-M> both that completely kills the existing gateway (which is not what I'm after) 12:11 < Lord-M> that again is solved by doing a full "ipconfig /refresh" after OpenVPN gets connected (so my previous default gateway is restorted *and* that TAP adapter hangs on to its own default gateway) 12:11 < Lord-M> but that is problematic as it gets screwed up again if OpenVPN reconnects at some point... 12:12 < Lord-M> *both = but 12:12 <+pekster> I suppose you need tap verses a tun setup if you're going through all this trouble? 12:12 <+pekster> tun makes things a lot cleaner :P 12:13 < Lord-M> honestly never tried ;) TAP always worked for me, but I'll have a look at a TUN setup... Will that still work with bridging, etc? 12:13 <+pekster> No, it's a routed setup, not bridged 12:14 <+pekster> And because of that it's a lot less moving parts to break (plus less wasted bandwidth) 12:14 <+pekster> !tunortap 12:14 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 12:14 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 12:14 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 12:14 <+pekster> Really, unless you are actually transmitting Ethernet frames or require real broadcast support, you don't want/need tap 12:14 < Lord-M> ok 12:15 < Lord-M> and basically the only change is that I need OpenVPN to push a couple of routes through to the client? 12:15 <+pekster> Yea, and your server-side network to be made aware how to route back to the VPN LAN 12:15 <+pekster> In a corporate environment you just add routes to the corporate routers to send traffic to the VPN server 12:16 < Lord-M> kk... I think I've done this before (running DD-WRT) 12:16 < Lord-M> perhaps a (final) stupid question: But what would I need real broadcast support for? 12:16 <+pekster> Multicast, or some programs (eg: games doing a LAN broadcast to find other game hosts on the network) 12:17 < Lord-M> ok, well then, I'll give the TUN setup a try... Thanks a lot! 12:17 <+pekster> Some "auto-discovery" protocols like to use broadcasts to announce themselves (eg: uPnP) 12:17 <+pekster> Yup. Most people don't need broadcast support, or have ways around them for VPN users 12:18 <+pekster> Good luck, and despite the effort switching your working 2.2.x setup over, I suspect you'll be happier in the end with a less complex setup 12:18 < Lord-M> I'm basically using it for some SMB shares, so that shouldn't be a problem 12:22 -!- Orbi [~opera@109.129.27.94] has quit [Ping timeout: 248 seconds] 12:25 -!- Orbi [~opera@anon-149-10.vpn.ipredator.se] has joined #openvpn 12:28 -!- Lord-M [~LordM@ip-80-113-202-148.ip.prioritytelecom.net] has quit [Quit: Cheers!] 12:29 -!- Orbi [~opera@anon-149-10.vpn.ipredator.se] has quit [Ping timeout: 248 seconds] 12:39 -!- Orbi [~opera@anon-185-46.vpn.ipredator.se] has joined #openvpn 13:12 < Orbi> I'm getting this error 6 times after "Initialization Sequence Completed": write UDPv4 [EMSGSIZE Path-MTU=1492]: Message too long (code=97) 13:12 < Orbi> What does it mean? 13:17 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 13:17 < WhoNeedszzz> Hey guys 13:17 < WhoNeedszzz> I just updated to 2.3.0 and now i'm getting this on my client: "Authenticate/Decrypt packet error: packet HMAC authentication failed" 13:17 < WhoNeedszzz> I haven't changed anything since running 2.3 rc2 13:18 < WhoNeedszzz> Is there a config difference? 13:19 -!- grimeton [~ruth@2a01:4f8:d12:c45:0:dead:beef:cafe] has joined #openvpn 13:19 < grimeton> is it possible to tell the daemon to use a different destination address on an udp tunnel without reestablishing the connection? 13:24 <+pekster> grimeton: See --float in the manpage, although that only works if one end moves to a new source IP that the other peer can see 13:28 < WhoNeedszzz> here's my server and client configs: https://gist.github.com/eb730f60b24bea9b408a 13:28 <@vpnHelper> Title: gist:eb730f60b24bea9b408a (at gist.github.com) 13:28 < WhoNeedszzz> Everything worked with 2.3 rc2 13:31 < WhoNeedszzz> Anyone? 13:34 < grimeton> pekster: yeah, i know, that's NOT what i want 13:44 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 246 seconds] 13:49 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 13:50 < WhoNeedszzz> Sorry net messed up. Did anyone respond? 13:50 < Orbi> @WhoNeedszzz not yet 13:52 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has joined #openvpn 13:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 244 seconds] 13:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 13:55 < WhoNeedszzz> I feel like it's a config change 13:55 < WhoNeedszzz> But i don't see any documentation for 2.3.9 13:55 < WhoNeedszzz> 2.3.0* 13:57 < Orbi> open your 2.3 rc2 and 2.3.0 configs in notepad++ and compare them for differences 14:00 < WhoNeedszzz> there is only one config 14:00 < WhoNeedszzz> I didn't change anything from 2.3 rc2 14:01 < WhoNeedszzz> Other than now adding tls-server and tls-client 14:01 < WhoNeedszzz> i'm saying are there differences that 2.3.0 expects that i'm not aware of 14:02 < WhoNeedszzz> i just wish i knew what route line it is referring to 14:03 < WhoNeedszzz> Perhaps this? /usr/sbin/ip route add 72.14.183.109/32 via 192.168.1.1 14:03 < WhoNeedszzz> Should it be /32? 14:08 -!- Orbi [~opera@anon-185-46.vpn.ipredator.se] has quit [Ping timeout: 248 seconds] 14:13 -!- mattock_afk is now known as mattock 14:15 < plaisthos> WhoNeedszzz: there should not be any difference between rc2 and final in that area of code 14:16 -!- Orbi [~opera@109.129.44.7] has joined #openvpn 14:17 < plaisthos> there only two changes in rc2 to final, one does not affect linux and the other is related to push messages 14:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 260 seconds] 14:20 -!- WhoNeedszzz [~WhoNeedsz@adsl-074-170-159-249.sip.msy.bellsouth.net] has joined #openvpn 14:20 -!- WhoNeedszzz [~WhoNeedsz@adsl-074-170-159-249.sip.msy.bellsouth.net] has quit [Changing host] 14:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Client Quit] 14:21 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:21 < WhoNeedszzz> so i'm curious then what's wrong 14:21 < WhoNeedszzz> if there aren't many changes 14:21 < WhoNeedszzz> since it worked fine in rc2 14:22 < plaisthos> it must be something different than rc2 vs final 14:22 < WhoNeedszzz> well i didn't change anything else 14:22 < WhoNeedszzz> the route also fails in windows if that helps 14:23 < WhoNeedszzz> did you look at my config i pasted earlier? 14:23 < plaisthos> route failure is also different from hmac fail 14:23 < WhoNeedszzz> i fixed the hmac issue 14:23 < WhoNeedszzz> just needed to add tls-server in server config and tls-client in client config 14:25 < WhoNeedszzz> It's definitely this line: ip route add 72.14.183.109/32 via 192.168.1.1 14:25 < plaisthos> WhoNeedszzz: on the client? 14:25 < WhoNeedszzz> yes 14:25 < WhoNeedszzz> if i enter the command manually i get: RTNETLINK answers: File exists 14:25 < plaisthos> what is the error? 14:25 < plaisthos> are you running two instances of openvpn? 14:25 < WhoNeedszzz> no 14:26 < plaisthos> who does your routing table look (netstat -rn), is tehre already that route? 14:26 < WhoNeedszzz> hmm it is there 14:26 < WhoNeedszzz> odd 14:26 < WhoNeedszzz> so just delete it? 14:26 < plaisthos> yes 14:27 < plaisthos> may be a leftover from a previous try 14:29 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 14:29 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:30 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:30 < WhoNeedszzz> ok progress 14:30 < WhoNeedszzz> now no route error 14:30 < WhoNeedszzz> but i'm getting "ROUTE6: default_gateway=UNDEF" in client output 14:30 < plaisthos> WhoNeedszzz: sure :_ 14:31 < plaisthos> you don't use server-ipv6 14:31 < plaisthos> (or all options set by server-ipv6) 14:31 < plaisthos> or whatever the option is called 14:31 < WhoNeedszzz> hmm well when i use server-ipv6 the pool is configured wrong 14:32 < WhoNeedszzz> i didn't use server-ipv6 in rc2 and it worked fine 14:32 < thermoman> who to contact to get something added to the FAQ? (http://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html) 14:32 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net) 14:33 -!- Orbi [~opera@109.129.44.7] has quit [Ping timeout: 248 seconds] 14:35 < WhoNeedszzz> yeah it messes up the pool 14:35 < plaisthos> WhoNeedszzz: care to report the bug? 14:35 < WhoNeedszzz> it should be :7100, but it picks :8000 which is out of my range of addresses 14:35 < WhoNeedszzz> well it could be anywhere from :7000 to :7FFF 14:36 < WhoNeedszzz> but not :8000 14:36 < WhoNeedszzz> what line sets up the ipv6 gateway? 14:36 -!- Orbi [~opera@anon-149-72.vpn.ipredator.se] has joined #openvpn 14:37 < Orbi> any clues as to these errors: "Initialization Sequence Completed": write UDPv4 [EMSGSIZE Path-MTU=1492]: Message too long (code=97) ? 14:38 < plaisthos> WhoNeedszzz: ifconfig6 line 14:38 < plaisthos> being pushed by the server 14:38 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 14:38 <+pekster> WhoNeedszzz: IIRC, you can't use OpenVPN with anything smaller than a /112 14:39 <+pekster> You should be allocated at *least* a /64 from any upstream provider 14:39 <+pekster> At least, any provider worth using 14:40 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 14:40 < WhoNeedszzz> i do have a /64 14:40 < WhoNeedszzz> 2600:3c00::21:7000/64 - 2600:3c00::21:7fff/64 14:40 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 14:41 <@ecrist> that looks like a /56 to me 14:41 < WhoNeedszzz> 2600:3c00 is linode 14:41 <+pekster> ecrist: that "range" he gave is both in the "same" /64 14:41 < plaisthos> ecrist: nah 14:41 <+pekster> Scrape off the bogus CIDR mask that I don't think he means and that's actually a /116 14:42 <+pekster> NOT a /112 14:42 <+pekster> ovpn can't with with a /116 14:42 < WhoNeedszzz> i'm pulling the info straight from my server's dashboard 14:42 < plaisthos> WhoNeedszzz: you need server-ipv6 to push the ifconfig and gateway to client iirc 14:42 < WhoNeedszzz> /64 14:42 <+pekster> WhoNeedszzz: You don't seem to understand how a /64 works. You'd get 2600:3c00:0:0:0:0:0:0 through 2600:3c00:0::ffff:ffff:ffff:ffff 14:42 <+pekster> That is a /64 14:42 <+pekster> Anything less than that range is not a /64 14:43 <+pekster> Sorry, missed a 0 in the 2nd output 14:43 <@ecrist> sorry, guys, I missed the short notation :: 14:43 * ecrist flogs himself appropriately 14:43 < plaisthos> I don't think that configuration ever worked 14:43 <+pekster> ecrist: np. ipv6 gets long (one of the obvious drawbacks) 14:43 < WhoNeedszzz> the range is 4096 addresses 14:43 < WhoNeedszzz> Surely that is enough 14:43 <@ecrist> WhoNeedszzz: you're fine 14:43 <+pekster> But he doesn't have a /112? 14:43 < WhoNeedszzz> so it looks like i need --route-ipv6 14:44 <+pekster> ecrist: Does 2.3.0 final support arbitrary CIDR masks? I'm still somehwat new to IPv6 support in ovpn, so maybe my info is old? 14:44 < plaisthos> pekster: it needs more than /112 14:44 <+pekster> If he really only has 2600:3c00::21:7000/116, can that be expressed? 14:44 <@ecrist> I'm not sure, pekster 14:44 < plaisthos> right 14:44 <@ecrist> I've only used it with a /64 14:45 < plaisthos> but I don't think he has only /112 14:45 <+pekster> Okay; he's described a /116 network. There's the "probloem" for getting a 2600:3c00::21:8xxx address 14:45 <+pekster> He's complaining that getting the .... :8xxx is the issue 14:45 < WhoNeedszzz> right 14:45 <+pekster> THat is *part* of a /112 14:45 < WhoNeedszzz> setting ipv6-pool manually works 14:45 < plaisthos> WhoNeedszzz: shouldn't 14:45 <+pekster> How do you not have that address if you have the *entire* /64 as you claim? 14:45 < plaisthos> what are you setting? 14:46 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 248 seconds] 14:46 < WhoNeedszzz> look at my config pasted 14:46 < plaisthos> WhoNeedszzz: ipv6-pool also add 0x1000 to the address 14:46 < WhoNeedszzz> that's what i did 14:46 < plaisthos> WhoNeedszzz: there is only xxxx 14:47 < plaisthos> no idea what /xx you specified 14:47 < WhoNeedszzz> here's my line: ifconfig-ipv6-pool 2600:3c00::21:7100 14:47 < WhoNeedszzz> that works 14:47 < WhoNeedszzz> it doesn't add 14:48 < WhoNeedszzz> what should route-ipv6 be? 14:48 < plaisthos> WhoNeedszzz: yes 14:48 -!- Orbi [~opera@anon-149-72.vpn.ipredator.se] has quit [Ping timeout: 248 seconds] 14:48 < plaisthos> it default to /64 14:48 < plaisthos> WhoNeedszzz: why do you assume that it does not add? 14:48 < WhoNeedszzz> because i looked at the output 14:48 < WhoNeedszzz> the address gets allocated properly 14:48 < WhoNeedszzz> i just need the route 14:48 < ngharo> WhoNeedszzz: here's my relavant bits for my working 2.3 ipv6 setup http://paste.debian.net/224676/ 14:48 < plaisthos> hm 14:49 < plaisthos> you seem to be right 14:49 < ngharo> i have 2001:1af8:4400:a049::/64 assigned to me 14:49 < plaisthos> misread the code 14:49 < ngharo> WhoNeedszzz: didn't we get this working before? :) 14:49 < WhoNeedszzz> we did 14:49 -!- Orbi [~opera@anon-184-62.vpn.ipredator.se] has joined #openvpn 14:49 < WhoNeedszzz> it doesn't work in 2.3.0 14:49 < WhoNeedszzz> and i didn't change anything 14:50 < WhoNeedszzz> but right i forgot i already have the push route-ipv6 14:50 < WhoNeedszzz> so why isn't the client getting it? 14:50 < WhoNeedszzz> what does the bypass-dhcp part do? 14:50 < WhoNeedszzz> that's the only difference in our configs other than the manual allocating 14:51 < plaisthos> WhoNeedszzz: ngharo has also 112 14:52 < ngharo> can you repaste with your addresses shown 14:54 <@ecrist> !secret 14:54 <@vpnHelper> "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do. 14:54 <@ecrist> !topsecret 14:54 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 14:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Quit: Leaving] 14:55 < ngharo> :) 14:55 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 14:55 < WhoNeedszzz> sorry was testing vpn 14:55 < ngharo> ecrist: do you know where the windows NSI script is located in the source? 14:55 < WhoNeedszzz> ngharo, https://gist.github.com/853705caa977dc6a5a72 14:55 <@vpnHelper> Title: gist:853705caa977dc6a5a72 (at gist.github.com) 14:55 < WhoNeedszzz> which is what i had with rc2, but added tls-server and tls-client 14:56 < WhoNeedszzz> that config worked in rc3 14:56 < WhoNeedszzz> rc2* 14:56 <+pekster> Actually, I'm curious about the NSI location too, since I've been meaning to get around to submitting a patch to fix the awful lack of addtap.bat and deltapall.bat (I've had 3 people with issues becuase of that here, and that's the folks I've been able to help and seen) 14:57 < ngharo> I've got a couple people looking into building the visual studio project 14:57 < ngharo> but they're lazy hackers like myself :) 14:57 < ngharo> i highly doubt it'll spit out the NSI but who knows 14:57 <@ecrist> ngharo: no I do not, sorry 14:57 <+pekster> Well, the NSI "should" be provided since it's part of the installation of GPL software :\ 14:58 < ngharo> pekster: maybe we can create one 14:58 < ngharo> shouldnt be too difficult 14:58 <+pekster> It seems silly to me to take a GPL project and "hide" it behind a non-copyleft installer >:| 14:58 < ngharo> but i agree 14:58 <@ecrist> we're not "hiding" anything 14:58 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 14:59 < plaisthos> WhoNeedszzz: you configured a /64 pool and a /64 server address 14:59 < plaisthos> this is the default 14:59 < WhoNeedszzz> ngharo, i have to run to class, but i'll keep this on to see what is said 14:59 < WhoNeedszzz> thanks for the help 14:59 < WhoNeedszzz> i'll be back on later 14:59 < plaisthos> if you do not own the /64 this config is wrong too .... 15:00 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 15:00 < WhoNeedszzz> i said the range i have 15:00 < WhoNeedszzz> i don't understand /64 /112 /blash 15:00 <+pekster> You used a /64 CIDR mask and described a /116 15:00 < WhoNeedszzz> /blah* 15:00 <+pekster> That's a huge difference 15:01 < plaisthos> WhoNeedszzz: then you should read a basic ipv6 whatever tutorial 15:01 < plaisthos> what /xx is 15:01 <+pekster> (of millions and millions of IPs) 15:01 < WhoNeedszzz> here's what my host says: Public IP Pools 2600:3c00::21:7000/64 - 2600:3c00::21:7fff/64 (4096 addresses) 15:01 < plaisthos> WhoNeedszzz: that is bullshit 15:01 < plaisthos> sorry but that makes no sense 15:01 < ngharo> most hosts don't know IPv6 themselves I found 15:02 < plaisthos> the range you posted 15:02 < WhoNeedszzz> so what is 2600:3c00::21:7000/64 2600:3c00::21:7000:0:0:0:0? 15:02 < plaisthos> what would make is 2600:3c00:21:7000::/64 - 2600:3c00:21:7fff::/64 15:02 < plaisthos> WhoNeedszzz: nothing that makes any sense 15:03 < WhoNeedszzz> all i know is rc2 worked fine 15:03 < WhoNeedszzz> so it's clearly something wrong with 2.3.0 15:03 < WhoNeedszzz> nothing else has changed on my part 15:03 < WhoNeedszzz> but now i'm really late 15:04 <+pekster> A /52 is a little odd for a provider to hand out since they tend to stick with nibble boundries (usually) 15:04 < plaisthos> yeah 15:04 <+pekster> I mean, technically you can do it... 15:04 <+pekster> They might actually be trying to "offer" a /116 or something really dumb, but then they need to be shot 15:05 <+pekster> And stop calling it a /64 :P 15:05 < ngharo> my host said "heres your /64, it has 65535 IPs" 15:06 < ngharo> lol k 15:06 < plaisthos> WhoNeedszzz: please before coming here time. a) learn about Ipv6 and cidr b) get the correct range from provider you have and c) between 2.3rc2 and 2.3.0 there is nothing that affects you (I know the code changes, so don't tell me there is a difference) 15:07 < WhoNeedszzz> then explain why it worked in rc2 and not now 15:07 < plaisthos> WhoNeedszzz: see c) 15:07 < WhoNeedszzz> that doesn't explain 15:08 < WhoNeedszzz> that contradicts 15:08 < plaisthos> yes 15:08 < ngharo> can you ping6 to the vpn endpoint? 15:08 < WhoNeedszzz> which my experience is saying otherwise 15:08 < ngharo> what is your problem anyways, just won't route out to the internet? 15:08 < WhoNeedszzz> i can ping both client and server 15:08 < WhoNeedszzz> just nothing else 15:08 < WhoNeedszzz> both directions 15:08 < ngharo> your problem is likely outside of openvpn 15:08 < WhoNeedszzz> that wouldn't make sense 15:08 < ngharo> are you still running npd? 15:08 < WhoNeedszzz> as i said, i didn't change anything on my system since 15:09 < ngharo> tcpdump your inet interface, look for icmpv6 packets 15:09 < plaisthos> WhoNeedszzz: the changes between 2.3rc2 and 2.3.0 are *extremely* unlikely to change *anyones* setup 15:09 < ngharo> likely the router is asking WHO HAS xx:xx:xx:xx::x 15:09 < WhoNeedszzz> ah yeah npd6 wasn't running 15:10 < WhoNeedszzz> i didn't know i needed it 15:10 < ngharo> there ya go 15:10 < plaisthos> WhoNeedszzz: ndp6 does not work with /116 :D 15:10 < WhoNeedszzz> ok super late now thanks 15:11 -!- dazo_afk is now known as dazo 15:12 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 15:13 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 15:15 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 15:15 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 15:18 <+pekster> ngharo: This doc appears out of data re: NSIS, because it references a '\win\openvpn.nsi' script that I can't find anywhere in the 2.3.0 sources :\ 15:18 <+pekster> Nor the make_dist.py 15:18 <+pekster> ngharo: Oh, missed the link: https://community.openvpn.net/openvpn/wiki/BuildingOnWindows 15:18 <@vpnHelper> Title: BuildingOnWindows – OpenVPN Community (at community.openvpn.net) 15:21 < plaisthos> someone just aked me if it is possible to run a OpenVPN server on a Android telephone 15:21 * plaisthos really wonders what the use case is 15:21 <+pekster> Bridge it to an office wifi and accept connections from 3G for spy situations ;) 15:24 < plaisthos> pekster: :D 15:24 -!- nutron|w [~nutron@24.67.96.21] has joined #openvpn 15:24 <+pekster> "My name is Michael Westen, and I hacked OpenVPN to run as a service on my cell phone." 15:38 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 15:44 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Ping timeout: 244 seconds] 15:50 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:01 -!- raidz is now known as raidz_away 16:01 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Quit: ZNC - http://znc.in] 16:04 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 16:10 -!- raidz_away is now known as raidz 16:20 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 16:28 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:36 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 16:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 17:06 -!- grimeton [~ruth@2a01:4f8:d12:c45:0:dead:beef:cafe] has left #openvpn [] 17:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:22 -!- Orbi [~opera@anon-184-62.vpn.ipredator.se] has quit [Quit: Orbi] 17:23 <@dazo> pekster: we've split out everything which is not strictly the cross platform stuff in OpenVPN into separate projects ... which includes easy-rsa, windows TAP driver and windows installer 17:23 -!- nutron|w [~nutron@24.67.96.21] has quit [Changing host] 17:23 -!- nutron|w [~nutron@unaffiliated/nutron] has joined #openvpn 17:23 <@dazo> (we even now got a better cross-platform build tool ... so you can more easily build windows binaries directly from Linux) 17:25 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:28 -!- dazo is now known as dazo_afk 18:00 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has joined #openvpn 18:18 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 18:19 < WhoNeedszzz> so yeah it turns out i do only have a /116 18:21 <+hazardous> what the hell 18:21 <+hazardous> who the fuck issues /116's 18:22 < WhoNeedszzz> Linode 18:22 < WhoNeedszzz> My question is who has the resources to issue /64s? 18:30 <+hazardous> anyone with a /48 which is standard 18:33 < WhoNeedszzz> ok so still not working with npd6 running 18:33 < WhoNeedszzz> ngharo, you here? 18:34 < WhoNeedszzz> ok apparently they will give a /64 upon request 18:34 < WhoNeedszzz> most people don't need a /64 18:34 < WhoNeedszzz> hell i wouldn't ever use 4096 addresses for a /116 18:40 < WhoNeedszzz> woo now i have 2600:3c00:e000:0016::/64 18:44 <+hazardous> 16:22:36 < WhoNeedszzz> My question is who has the resources to issue /64s? 18:44 <+hazardous> i can issue like, a few million /64's from my home allocation.. 18:44 <+hazardous> idgi 18:44 <+hazardous> ipv6 isn't really something to conserve 18:44 < WhoNeedszzz> ah see that shows how little i know about ipv6 18:44 < WhoNeedszzz> i know there are a ton of possible addresses 18:45 <+hazardous> iirc every atom in the universe can have an address or something equally inane 18:45 < WhoNeedszzz> but it seems wasteful to allocate entire /64 blocks 18:51 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 18:51 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 18:51 < WhoNeedszzz> Ok now i'm getting "MULTI: bad source address from client [192.168.1.9], packet dropped 18:56 -!- DaCheat_ [JMark@external.JmarkIT.com] has joined #openvpn 18:56 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 18:59 -!- zeeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 19:03 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Disconnected by services] 19:03 -!- medum_ [kevin@n2l.org] has joined #openvpn 19:04 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 19:04 -!- Netsplit *.net <-> *.split quits: meepmeep, emmanuelux, medum, DaCheat, mnathani 19:04 -!- Netsplit over, joins: meepmeep 19:11 -!- DBordello [~DBordello@unaffiliated/dbordello] has quit [Ping timeout: 264 seconds] 19:11 -!- Netsplit *.net <-> *.split quits: meepmeep 19:11 -!- Netsplit over, joins: meepmeep 19:11 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 19:11 < WhoNeedszzz> Sorry vpn disconnected irc. Did anyone respond? 19:11 < ngharo> !source 19:11 <@vpnHelper> My source is at http://supybot.com/ 19:11 < ngharo> !git 19:11 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git 19:13 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 19:13 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 19:14 < WhoNeedszzz> ngharo, can you help me? 19:14 < ngharo> i suppose :v 19:14 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 19:15 < swiftkey> /join #openvpn-as 19:15 < swiftkey> /join #openvpn-as 19:15 < swiftkey> hmm 19:15 < swiftkey> hello there 19:16 < ngharo> WhoNeedszzz: whats your eth0 ipv6 addr? 19:17 < ngharo> or rather paste 'ip -6 a' and server config 19:17 < ngharo> brb poopin :> 19:19 < WhoNeedszzz> ngharo, https://gist.github.com/a75ccae32417abe46354 19:19 <@vpnHelper> Title: gist:a75ccae32417abe46354 (at gist.github.com) 19:19 -!- rabidsnail [~rabidsnai@unaffiliated/cmdrbatguano] has joined #openvpn 19:19 -!- savagecroc [~grahamsav@207.204.241.202] has joined #openvpn 19:20 < savagecroc> how do i exclude traffic to a particular IP from going over the VPN? 19:21 < rabidsnail> (in Linux) add a route specifically for that IP that goes over some other interface 19:21 < swiftkey> im new to vpn 19:21 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 19:23 < swiftkey> http://pastie.org/5686111 does this mean that my vpn is ok ? 19:23 -!- savagecroc [~grahamsav@207.204.241.202] has quit [Read error: Connection reset by peer] 19:23 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 19:23 < rabidsnail> savagecroc: man route, look at the examples 19:23 < swiftkey> but i cannot connect to the internet if i get connected to my vpn 19:24 < swiftkey> i already set /etc/resolv.conf to 8.8.8.8 19:27 < swiftkey> http://pastie.org/5686111 does this mean that my vpn is ok ? 19:27 < swiftkey> but i cannot connect to the internet if i get connected to my vpn 19:27 < swiftkey> i already set /etc/resolv.conf to 8.8.8.8 19:29 < ngharo> !linnat 19:29 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat 19:29 < ngharo> !1918 19:29 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 19:29 < ngharo> swiftkey: read those 19:30 < ngharo> you should not be using 192.160 19:30 < ngharo> fix that, then configure a NAT 19:31 -!- savagecroc [~grahamsav@207.204.241.202] has joined #openvpn 19:31 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 19:31 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 19:31 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 19:31 < savagecroc> ah found out the command 19:31 < savagecroc> route youku.com 255.255.255.0 net_gateway << very nice 19:31 < swiftkey> im not using 192.160 19:31 < swiftkey> its 192.168. 19:32 < swiftkey> hmm let me check 19:32 < swiftkey> thanks ngharo 19:32 < WhoNeedszzz> ngharo, wb 19:32 < ngharo> swiftkey: thats not what your logs say 19:33 < swiftkey> yes my bad 19:33 < swiftkey> thanks for the eyespot 19:33 < swiftkey> erm im new to this thanks for you help :) 19:34 < ngharo> WhoNeedszzz: can you even ping out to ipv6.google.com from your server right now 19:34 < rabidsnail> I'm trying to set up openvpn to only proxy traffic for applications that explicitly want to. I'm trying starting openvpn with no routes (--route-noexec) and explicitly binding to the tun interface, but clients seem to block forever. 19:35 < ngharo> which IPv6 address is valid, you have two that I see 19:35 < rabidsnail> eg: curl --interface tun0 'http://www.ipchicken.com' 19:35 < swiftkey> how to fix NAT ? 19:35 < swiftkey> i guess this is avery lame question 19:35 < swiftkey> but i need to hehe 19:36 < ngharo> see above for an iptables example 19:36 < swiftkey> i turned off iptables 19:36 < ngharo> well you need something to NAT, like iptables 19:37 < WhoNeedszzz> ngharo, yeah i can 19:37 < WhoNeedszzz> ngharo, what should the npd6 prefix be now? 19:37 < swiftkey> let me check again 19:38 < ngharo> WhoNeedszzz: well you said you've been assigned 2600:3c00:e000:0016::/64 19:38 < ngharo> yet i dont see any address configured with that 19:38 < ngharo> so im confused 19:38 < WhoNeedszzz> what do you mean? 19:39 < WhoNeedszzz> It's configured to tun0 19:39 < WhoNeedszzz> it's there what i pasted 19:39 < ngharo> eth0 isnt configured under that subnet 19:39 < swiftkey> im able to chat still but unable to surf 19:39 < swiftkey> i guess its a NAT problem then 19:39 < WhoNeedszzz> it's routed to my other ipv6 address 19:40 < WhoNeedszzz> do i need to also add it to eth0? 19:40 < ngharo> i would 19:40 < ngharo> set npd prefix to 2600:3c00:e000:0016: 19:41 < ngharo> and server-ipv6 in config to server-ipv6 2600:3c00:e000:0016::f/112 19:41 < WhoNeedszzz> ah ok 19:45 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has quit [Ping timeout: 255 seconds] 19:45 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 19:46 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 19:46 < WhoNeedszzz> still no go 19:47 < WhoNeedszzz> does it have anything to do with the MULTI: Bad source address...blah...blah have to do with it? 19:47 < WhoNeedszzz> wow sentence fail 19:48 < WhoNeedszzz> ngharo, 19:48 < ngharo> paste client log, ip -6 a, and ip -6 r 19:49 -!- raidz is now known as raidz_away 19:49 < ngharo> also do you still have ipv6 forwarding enabled 19:49 < ngharo> and proxy_npd 19:49 < ngharo> net.ipv6.conf.all.forwarding=1 19:49 < ngharo> net.ipv6.conf.all.proxy_ndp=1 19:50 < ngharo> (server) 19:53 < WhoNeedszzz> ngharo, https://gist.github.com/f413909536d3a3fdce76 19:53 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Remote host closed the connection] 19:53 <@vpnHelper> Title: gist:f413909536d3a3fdce76 (at gist.github.com) 19:54 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 19:54 < WhoNeedszzz> ngharo, https://gist.github.com/f413909536d3a3fdce76 19:54 <@vpnHelper> Title: gist:f413909536d3a3fdce76 (at gist.github.com) 19:54 < WhoNeedszzz> and yes those sysctl settings are correct 19:56 < ngharo> and npd has the right prefix and was restarted 19:56 < WhoNeedszzz> yes 19:56 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has joined #openvpn 19:56 < ngharo> you can ping ip6 client<->server? 19:56 < WhoNeedszzz> yes 19:56 < WhoNeedszzz> both ways 19:57 < WhoNeedszzz> ah wait 19:57 < WhoNeedszzz> the prefix isn't right 19:57 < WhoNeedszzz> i have :16 instead of :0016 19:58 < ngharo> you can omit leading zeros 19:58 < ngharo> should be fine 19:58 < ngharo> tcpdump -i eth0 ip6 19:59 < ngharo> then do ping6 2001:1af8:4400:a049:: from client 19:59 < ngharo> do you see the traffic leaving eth0? 20:00 -!- savagecroc [~grahamsav@207.204.241.202] has quit [Ping timeout: 260 seconds] 20:02 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Read error: Connection reset by peer] 20:05 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 20:05 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 20:05 < WhoNeedszzz> ngharo, the ping6 command you gave gives: "ping6: Source routing is deprecated by RFC5095." 20:05 < CrashTM> how might i forward a port through my openvpn server to the client 20:06 < WhoNeedszzz> but i pinged the server vpn ipv6 address and didn't get any unknown solicitations 20:07 < WhoNeedszzz> it's hard to see what's going on in the dump because i have an ipv6 named server active 20:08 < ngharo> CrashTM: treat it like any other LAN interface 20:08 < CrashTM> >.> 20:08 < ngharo> also, where in WI :) 20:09 < ngharo> i'm just north of Milwaukee 20:09 < CrashTM> the mil 20:09 < ngharo> cool 20:09 < ngharo> I do a security meeting every month on 5th and national 20:09 < CrashTM> cool 20:10 < ngharo> dc414, check it out if you're interested 20:10 < CrashTM> mind giving more info on how i might do that 20:10 < WhoNeedszzz> ngharo, so what am i looking for in the tcpdump? 20:11 < ngharo> WhoNeedszzz: filter by 'icmp6' instead of just 'ip6' then 20:11 < ngharo> well 20:11 -!- gardar [~gardar@gardar.net] has quit [Quit: bye!] 20:11 < ngharo> i'm not sure why ping6 returns that 20:11 < WhoNeedszzz> can i filter out the port? 20:11 < ngharo> i still say assign 2600:3c00:e000:0016::/64 to eth0 20:11 < ngharo> and remove the others 20:11 < ngharo> and make sure you can ping6 google after that 20:12 < ngharo> then try vpn again 20:12 < WhoNeedszzz> well since the /64 is routed to the existing one, won't that screw things up? 20:12 < ngharo> i dunno, i'm too dumb to know that 20:12 < ngharo> CrashTM: http://serverfault.com/questions/140622/how-can-i-port-forward-with-iptables 20:12 <@vpnHelper> Title: linux - How can I port forward with iptables? - Server Fault (at serverfault.com) 20:13 < ngharo> CrashTM: you can assign static IPs to client with ccd entries 20:13 < ngharo> !ccd 20:13 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 20:13 -!- gardar [~gardar@gardar.net] has joined #openvpn 20:14 < ngharo> WhoNeedszzz: maybe just assign that address in addition to what you have now 20:18 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Quit: Leaving] 20:19 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 20:19 -!- Castorrr [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 20:19 < WhoNeedszzz> ngharo, hmm nothing is coming up in tcpdump when i ping it 20:20 < WhoNeedszzz> other than IP6 fe80::ca4c:75ff:fef5:c4ff > whirlpool: ICMP6, neighbor solicitation, who has whirlpool, length 32 20:20 < WhoNeedszzz> and i'm constantly getting pinged by 2001:1af8:4400:a049::100f 20:20 < ngharo> yea thats me trying to hit your client 20:21 < WhoNeedszzz> ok 20:21 < WhoNeedszzz> thought so 20:21 < ngharo> so thats good you're receiving it 20:21 < ngharo> but the tun0<->eth0 is busted 20:21 < WhoNeedszzz> also getting IP6 whirlpool > fe80::1: ICMP6, neighbor solicitation, who has fe80::1, length 32 20:21 < ngharo> is it your god damned firewall again? :) 20:22 < WhoNeedszzz> haven't touched the fw 20:22 < ngharo> do you log drops? 20:22 < ngharo> check to make sure 20:22 < WhoNeedszzz> before i just had a typo of icmpv6-type 8 when it should have been 128 20:22 < WhoNeedszzz> how to check that? 20:23 < ngharo> it's your firewall man :) 20:23 < ngharo> syslog? 20:23 < WhoNeedszzz> i'm getting request and reply from you 20:24 < ngharo> yeah to ::10 works 20:24 < ngharo> ::100f does not reply 20:24 < WhoNeedszzz> i use systemd so i guess journalctl 20:24 < WhoNeedszzz> well it's down now 20:24 < WhoNeedszzz> i can be on irc while it's on 20:24 < WhoNeedszzz> it makes my whole connection screw up 20:24 < WhoNeedszzz> can't* 20:25 < ngharo> you could comment the ipv4 redirect gateway 20:25 < ngharo> probably whats doing it 20:25 < ngharo> while testing 20:27 < WhoNeedszzz> ok yeah now it's not destroying my connection 20:27 < WhoNeedszzz> it's live now 20:27 < WhoNeedszzz> but can you still reach me when i'm not redirecting? 20:28 < CrashTM> ngharo 20:28 < CrashTM> hmm 20:28 < ngharo> that line has nothing to dowith ipv6 20:28 < CrashTM> seems like it is not working 20:29 < WhoNeedszzz> so i should be able to ping6 ipv6.google.com when that is commented? 20:29 < ngharo> WhoNeedszzz: yes idealy 20:29 < WhoNeedszzz> i thought that was the whole point was that i need to redirect to get access 20:29 < WhoNeedszzz> i don't have ipv6 here 20:30 < ngharo> the 2000::/3 is your ipv6 "default" route 20:30 < ngharo> redirect-gateway is ipv4 20:32 < WhoNeedszzz> oh 20:32 < ngharo> WhoNeedszzz: canyou ping6 2600:3c00::21:7d0c from your client? 20:32 < WhoNeedszzz> lol 20:32 < WhoNeedszzz> yeah 20:32 < WhoNeedszzz> is ipv6.google.com down? 20:33 < ngharo> lol no 20:33 < ngharo> WhoNeedszzz: but ping6 ngha.ro throws that source routing error? 20:34 < WhoNeedszzz> no now it just hangs 20:34 < ngharo> same with 2001:1af8:4400:a049:: 20:34 < ngharo> ? 20:35 < WhoNeedszzz> yeah 20:35 < WhoNeedszzz> no error now 20:35 < WhoNeedszzz> just hangs 20:36 < ngharo> yeah i dunno 20:36 < ngharo> gather your details and ask in #ipv6 20:36 < ngharo> you can ping across the vpn 20:36 < ngharo> the problem is outside openvpn 20:37 < ngharo> CrashTM: google iptables port forwarding gives you hundreds of examples, take your pick 20:37 < WhoNeedszzz> when pinging you and running tcpdump i just get: "IP6 whirlpool > fe80::1: ICMP6, neighbor solicitation, who has fe80::1, length 32" 20:39 < ngharo> fe80::1 is your gateway? 20:39 < WhoNeedszzz> yes 20:40 < WhoNeedszzz> here is tcpdump running for a while: https://gist.github.com/9ebf0c6793d3c6fa3c8d 20:40 <@vpnHelper> Title: gist:9ebf0c6793d3c6fa3c8d (at gist.github.com) 20:45 < WhoNeedszzz> ngharo,? 20:48 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 272 seconds] 20:48 < WhoNeedszzz> ngharo, are you sure it's not related to me seeing this?: MULTI: bad source address from client [192.168.1.9], packet dropped 20:50 < WhoNeedszzz> nvm i'm not actually getting that anymore 20:52 < WhoNeedszzz> according to linode it is my firewall 20:52 < WhoNeedszzz> they say the FORWARD chain needs to be ACCEPT or have rules to forward between eth0 and tun0 20:53 -!- corretico [~luis@190.211.93.38] has joined #openvpn 20:54 -!- corretico [~luis@190.211.93.38] has quit [Max SendQ exceeded] 20:55 < WhoNeedszzz> yep that's it alright 20:55 < WhoNeedszzz> hmm odd i don't remember allowing it to be accept before 20:55 -!- corretico [~luis@190.211.93.38] has joined #openvpn 20:56 < WhoNeedszzz> and ok so if that works without the redirect-gateway what is the benefit of that? 20:57 -!- corretico [~luis@190.211.93.38] has quit [Max SendQ exceeded] 20:57 < ngharo> ip4 traffic 20:57 -!- corretico [~luis@190.211.93.38] has joined #openvpn 20:57 < WhoNeedszzz> why would you want to route ip4 traffic? 20:58 < WhoNeedszzz> for encrypting traffic? 20:58 < ngharo> to your server, yes 20:59 < WhoNeedszzz> You paranoid? :p 20:59 < WhoNeedszzz> What would be the benefit of that? 21:02 < ngharo> for me my traffic is encrypted until it goes overseas 21:02 < ngharo> which I like 21:02 -!- zz_AsadH is now known as AsadH 21:03 -!- AsadH [~AsadH@unaffiliated/asadh] has left #openvpn [] 21:04 -!- crazyhorse [~grahamsav@207.204.241.202] has joined #openvpn 21:04 < crazyhorse> any idea how i can push all traffic from a particular application over normal internet and not the VPN? 21:05 < ngharo> do you know the host the application contacts? 21:06 < crazyhorse> nah it's random hosts 21:06 < crazyhorse> utorrent 21:06 < crazyhorse> utorrent supports socks/http proxy 21:06 < crazyhorse> but i don't know if that helps 21:07 < WhoNeedszzz> ngharo, why does it not stay encrypted? 21:07 < crazyhorse> vpn has limited bandwidth 21:07 < crazyhorse> so i just want to run it over the normal internets 21:08 < ngharo> WhoNeedszzz: it gets decrypted once it reaches my server 21:08 < ngharo> WhoNeedszzz: as does your ipv6 traffic now 21:09 < WhoNeedszzz> anyway i can make it stay encrypted? 21:09 < ngharo> no, the public internet doesnt know how to decrypt your stream 21:10 < ngharo> that would defeat the purpose 21:10 < WhoNeedszzz> right ok 21:11 < WhoNeedszzz> so currently if someone were snooping on my traffic they can't see my ipv6 traffic, correct? 21:11 < WhoNeedszzz> snooping on the client 21:11 < ngharo> they cant see anything between client and server 21:11 < ngharo> except a bunch of garbage 21:11 < WhoNeedszzz> So if i redirect my ipv4 traffic my ISP can't snoop on me, right? 21:11 < ngharo> correct 21:12 < WhoNeedszzz> great 21:12 < WhoNeedszzz> i'll re-enable that then 21:12 < ngharo> your server's ISP still can though 21:12 < WhoNeedszzz> right 21:12 < WhoNeedszzz> they won't though 21:12 < ngharo> of course they wont :) 21:12 < WhoNeedszzz> i'm just trying to make my torrenting traffic encrypted :) 21:13 < ngharo> if ya got a server, why not torrent there? 21:13 < WhoNeedszzz> i tried just using encryption in the torrent client, but a lot of people can't be reached when i do that 21:13 < ngharo> rtorrent + rutorrent client = win 21:13 < WhoNeedszzz> then i would have to download to my server then upload to my client 21:13 < WhoNeedszzz> that would use my bandwidth 21:13 < WhoNeedszzz> i run a Tier 2 DNS server 21:14 < WhoNeedszzz> already get a lot of traffic 21:14 -!- crazyhorse [~grahamsav@207.204.241.202] has quit [Ping timeout: 255 seconds] 21:14 < ngharo> you're still using the same traffic doing it from client 21:14 < ngharo> but whatevs, either or 21:14 < WhoNeedszzz> oh ha you're right 21:14 < ngharo> i just prefer to do it on server for 100mbit action 21:14 < WhoNeedszzz> didn't think about it that way 21:20 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Disconnected by services] 21:21 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has joined #openvpn 21:21 < WhoNeedszzz> hmm restarting the vpn messes up my irc connection 21:21 < WhoNeedszzz> but at least it's working now 21:21 < WhoNeedszzz> Thanks for the help 21:58 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has left #openvpn ["Leaving"] 22:32 -!- rabidsnail [~rabidsnai@unaffiliated/cmdrbatguano] has quit [Quit: rabidsnail] 22:35 -!- blackness [black@2001:470:8cf8::9] has quit [Read error: Connection reset by peer] 22:45 -!- elc0 [~andy@c-71-205-251-207.hsd1.mi.comcast.net] has joined #openvpn 22:45 -!- HyperGlide [~HyperGlid@182.149.53.195] has quit [Remote host closed the connection] 22:46 < elc0> !welcome 22:46 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 22:46 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:46 < elc0> !ip forward 22:48 < elc0> !nat 22:48 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto 22:53 -!- zeeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has quit [] 22:54 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 22:58 -!- elc0 [~andy@c-71-205-251-207.hsd1.mi.comcast.net] has quit [Ping timeout: 245 seconds] 23:14 -!- bigmeow [~mirror@184.82.217.174] has quit [Ping timeout: 276 seconds] 23:15 -!- bigmeow [~mirror@184.82.217.174] has joined #openvpn 23:52 < mnathani> How can I use the windows openvpn client with my opensource / (Non-Access Server version of Openvpn) Not sure how to create an openvpn profile --- Day changed Tue Jan 15 2013 00:08 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Leaving] 00:15 < ngharo> !sample 00:15 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 00:15 < ngharo> start there, name it .ovpn and go 00:16 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 00:32 < mnathani> Thanks ngharo 00:38 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 01:19 <+pekster> dazo_afk: Okay, that was the info I needed. Maybe 2.3.0 wasn't built with this commit then? Because the installation leaves out the utility scripts by default unless a user manually re-installs the tap-windows.exe with the utilities selected. https://github.com/OpenVPN/openvpn-build/commit/95df0695e2106c17dcbb55b661c5669b953b1a6c 01:19 <@vpnHelper> Title: windows-nsis: install tap utilities · 95df069 · OpenVPN/openvpn-build · GitHub (at github.com) 01:24 <+pekster> Oh, I think I found the problem (the installer section isn't named the same in the tap-windows project as it is in openvpn-build's nsis script. I'll verify the cause and send in a patch to correct 01:29 <+pekster> Or, too soon; there's macro magic that's supposed to make it work. I guess I'll dig further to see if the build lacks the right commits from master and see what I find 01:41 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 01:55 -!- Orbi [~opera@109.129.15.71] has joined #openvpn 01:57 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:00 -!- Orbi [~opera@109.129.15.71] has quit [Ping timeout: 245 seconds] 02:03 -!- Orbi [~opera@anon-149-134.vpn.ipredator.se] has joined #openvpn 02:09 -!- Orbi [~opera@anon-149-134.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 02:14 -!- oskie_ is now known as oskie 02:16 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has joined #openvpn 02:21 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 02:31 < Orbi> I removed "writepid /var/run/openvpncl.pid" from the config and the errors "Initialization Sequence Completed": write UDPv4 [EMSGSIZE Path-MTU=1492]: Message too long (code=97)" dissapeared 02:31 < Orbi> Somebody understand the link if there is one? 02:44 -!- blackness [black@2001:470:8cf8::9] has joined #openvpn 02:44 < blackness> !openvz 02:44 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg Xen. 03:01 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 03:06 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 264 seconds] 03:08 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:30 -!- blackness [black@2001:470:8cf8::9] has quit [Ping timeout: 252 seconds] 03:40 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 03:49 -!- a_ [~d@64.111.123.163] has quit [Quit: Reconnecting] 03:49 -!- catsup [~d@64.111.123.163] has joined #openvpn 03:54 -!- d12fk [~heiko@exit0.net] has joined #openvpn 04:06 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Client Quit] 04:08 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has quit [Read error: Connection reset by peer] 04:08 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has joined #openvpn 04:25 -!- Orbi [~opera@anon-185-43.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 04:27 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 04:28 < fu_fu> morning 04:31 < fu_fu> got a problem: after several hours of use the tunnel seems to go half-down. ping from the server does not return, ping from the client returns normally. when i reload the service on client, pings resume normally. (Windows to windows) 04:31 < fu_fu> the problem last occurred after the hourly rekey 04:33 <+pekster> Sounds like a firewall problem on the client. You're talking about an ICMP ping, right? Not OpenVPN's control-channel --ping option? 04:34 < fu_fu> yes correct, ping is just the symptom, other data does not flow also 04:34 < fu_fu> how does a firewall issue behave intermittently? 04:34 <+pekster> The reply ping is itself tunneled data. The fact that you get a reply means the tunnel is working 04:34 < fu_fu> only one way 04:35 <+pekster> No, both ways, otherwise you wouldn't get the ICMP echo-response 04:35 < fu_fu> ok, so only from one source then 04:35 < fu_fu> the server >client does not function after hours of use 04:35 < fu_fu> ceases to function 04:36 <+pekster> Sorry, that's pattently incorrect. How do you think the "ping" gets back to the client? 04:36 <+pekster> tcpdump the tun interface on the client if you don't believe me 04:36 <+pekster> You'll see an ICMP echo-request packet go from client -> server, then a reply ICMP echo-reply packet from server -> client 04:37 <+pekster> If you don't see that, then you wouldn't get a response in your command window on the ping 04:37 < fu_fu> ok, why wont ping work until i restart the service 04:37 <+pekster> You just said it did work when initiated from the client, right? 04:37 < fu_fu> yes, not from the server thus half-down 04:38 <+pekster> You're not getting it. This isn't an openvpn problem, becuase the tunnel isn't what's "half down" 04:38 <+pekster> The tunnel is working just fine since the reply traaffic comes *back* to the client. Do you understand why this demonstrates that the server can reach the client across the VPN tunnel? 04:39 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection timed out] 04:39 <+pekster> If you want, increase the verbosity of both client & server to 'verb 5' in the ovpn configuration and see if anything odd appears when this happens. Otherwise, look at your OS-level configuration to fix the reason your server apparently replies selectively in a way you don't like 04:40 < fu_fu> i have verb level 5 set 04:40 <+pekster> The server has to *SEND* the ICMP echo-reply packet 04:40 <+pekster> You see? That pakcet *does* get back to the client. It's just a normal IP packet like any other IP traffic 04:40 < fu_fu> there is no rw after the rekey 04:41 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 04:42 < fu_fu> so why doesnt the log reflect the client origin pings? 04:47 <+pekster> No clue. When I use verb5 and ping across thee tunnel, I get this in my server logs: 04:47 <+pekster> WRwrWRwr 04:47 < fu_fu> me too, until the problem happens 04:47 <+pekster> But you're getting replies? 04:47 <+pekster> Specifically, something like this: 04:47 <+pekster> Pinging 10.123.123.1 from 10.123.123.100 with 32 bytes of data: 04:47 <+pekster> Reply from 10.123.123.1: bytes=32 time=3ms TTL=128 04:48 <+pekster> If you get a reply, the traffic is coming back to you (obviously.) You can't say you're not getting traffic across the tunnel when you have evidence that you are 04:48 -!- genghi1 [~Adium@p5089BF98.dip.t-dialin.net] has joined #openvpn 04:52 < fu_fu> i am only getting replies form one side, and oly after several hours of proper operation 04:53 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 04:53 < Minnebo> Hello, i'm openvpn noob! 04:53 < Minnebo> I managed to get it working 04:54 < fu_fu> the client log shows no rw after the rekey 04:54 < Minnebo> I can ping to my server, but i cannot access files 04:58 <+pekster> fu_fu: Can you post your server config file? Maybe you're specifying some option that re-runs on a rekey that's causing you issues; I doubt it, but I can take a glance anyway 04:59 -!- blackness- [black@199.175.53.115] has joined #openvpn 04:59 < blackness-> Is it possible to listen :113 on a OpenVPN HOST and OpenVPN client? 04:59 < Minnebo> I can access it thourgh its 10.0.8.1 adress 04:59 < Minnebo> :w 05:00 < fu_fu> ok 05:00 <+pekster> Minnebo: ping the VPN endpoint? Then how are you trying to access files? Use the VPN IP to reach that server, unless you're also pushing additional routes 05:00 < blackness-> Like, The OpenVPN client has working ident, and the OpenVPN HOST has working ident. 05:01 < Minnebo> pekster, well I can ping to the server on 192.168.100.1 but when I do \\192.168.100.1 it says no access. When i go \\10.0.8.1 is see all the shares. What do I need to configure to get \\192.168.100.1 working? 05:04 <+pekster> holmen: I'm going to bring the conversation back here since, at least for now, I don't need to reference your configs anymore that you don't want shared. Since you have multiple routing tables, you somehow need to add the route for the VPN peer to go out via tap0 05:04 <+pekster> holmen: You might just need to specify a /32 route using the $route_vpn_gateway and $ifconfig_local options, since you really just need a route to the $route_vpn_gateway for your two /1 routes to work (rememger, those are there eto emulate the behaviour of 'redirect-gateway' as required for your 2nd routing table 05:05 <+pekster> Minnebo: The VPN server is alive at both those IPs? 05:05 < Minnebo> yes 05:05 <+pekster> Are you pushing a route for that IP then across the VPN tunnel? Otherwise, maybe that IP is just responding from something else on the client's local network 05:05 < Minnebo> The vpn server runs on the 192.168.100.1 05:06 < Minnebo> and the 10.0.8.1 is the virtual ip 05:06 < Minnebo> our local network is 111 05:06 < Minnebo> but you might be correct 05:07 < Minnebo> i might just change these virtual ip's 05:07 < Minnebo> and give this dhcp 5 adresses 05:07 < Minnebo> then I wont have the problem 05:08 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has joined #openvpn 05:08 <+pekster> Minnebo: TO access a LAN address like that, you need to push a route to it to the VPN client 05:08 <+pekster> Otherwise the client has no way to know that traffic for 192.168.100.x is supposed to go across the tunnel 05:08 <+pekster> Have you pushed such a route? 05:09 < Minnebo> no 05:09 < Minnebo> its default 05:09 <+pekster> Then this is why it doesn't wnork 05:09 < Minnebo> config 05:09 <+pekster> It's just chanace that you get a reply from some "other" 192.168.100.1 on your client's upstream netwnork 05:09 < Minnebo> k 05:09 < Minnebo> how does the push thing look like? 05:10 < Minnebo> push "route 192.168.100.0 255.255.255.0" 05:10 < Minnebo> ? 05:10 <+pekster> Yup 05:10 < blackness-> Yep. 05:10 < Minnebo> k 05:10 <+pekster> The client will send that to the client and the client will get a route added on connect that sends traffic for that netework via the VPN server 05:10 < blackness-> thanks again pekster for all your help. :) 05:10 <+pekster> The server will send* 05:11 <+pekster> Sure 05:11 < blackness-> Feel like helping me with my little problem? 05:11 <+pekster> You can't have "both" servers respond to a port, no 05:12 <+pekster> When you deal with private addresses, your internal LAN doesn't actually exist according to the Internet 05:12 <+pekster> A port is a port. You can't subdivide it further 05:13 < blackness-> what about having it triggered by source_address and respond back to that source? 05:13 < blackness-> just curious is all.. 05:13 < fu_fu> afk 05:14 < Minnebo> 192.168.100.0 255.255.255.0 10.8.0.5 10.8.0.6 30 I see this in my route print but still no go, perhaps a firewall rule? 05:15 < Minnebo> and can't ping anymore :D 05:15 <+pekster> blackness-: huh? How do you expect to know "which" private host an external client wants to send a packet for based on its source address? 05:15 <+pekster> THat doesn't even make any sense 05:16 < fu_fu> bk 05:16 <+pekster> Minnebo: It could be; that depends on how your firewall is set up 05:16 <+pekster> See the note in the /topic (often people's probelms are caused by firewalls 05:16 < Minnebo> ty 05:17 < Minnebo> !welcome 05:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 05:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:17 <+pekster> Remember to look at it knowing that the source IP will be the VPN address and the destination IP will be 192.168.100.1 05:17 <+pekster> Also, if you're exposing the entire server-side LAN like that, also see: 05:18 <+pekster> !serverlan 05:18 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 05:18 <+pekster> The route you pushed is a whole /24, not just a single host 05:18 < Minnebo> yes 05:18 < Minnebo> indeed 05:18 < Minnebo> i'll fix it and relog 05:18 <+pekster> Well, that won't cause a problem getting to that host, just if you wnated to reach other hosts in the /24 05:19 <+pekster> Chances are good it's a firewall issue if you have that route and it's still not working 05:22 < Minnebo> pekster, i think the problem is 05:22 < blackness-> if i set a var of IPs, how should it be? 0.0.0.0,1.1.1.1 ? 05:22 < Minnebo> that the server doenst know a route back? 05:23 <+pekster> fu_fu: I see nothing in that setup that would cause issues on re-keying or similar. The 'keepalive' directive gaurentees that the encapsulating tunnel is still running or that the peer will reconnect, and your ICMP ping from client -> server shows that bi-directional traaffic is flowing and being routed as expected 05:23 <+pekster> Your problem is simply not openvpn 05:23 <+pekster> blackness-: huh? I need some context here 05:23 < blackness-> i'll be using the var like this: iptables -A INPUT -i eth0 -p tcp -s $IPLIST --dport 2222 -j ACCEPT 05:24 <+pekster> Use ipset for that, or write unique rules for each IP (optionally put them them in your own user-defined chain to minimize processing time) 05:24 < blackness-> so a loop would be required if i did a ruleset per IP correct? 05:24 <+pekster> loop? 05:24 < blackness-> im not good enough to use ipset at this point 05:25 < blackness-> yeah, for i in $IPLIST; do ipfilter rule here; done 05:25 < blackness-> which that loop would replace the single --dport 2222 line ofc. 05:25 <+pekster> If you'd like, sure. I don't apply my rules like that and use iptables-restore to load my rules 05:26 < blackness-> welp, time to get to writing a loop :) 05:26 <+pekster> fu_fu: I don't mind keeping your private configuration in a PM, but don't ask me questions there. I'm not your personal paid support, and this channel has other people who can help, and may see something I don't. Plus I don't like answering questions in private that don't have a chance to benefit other people 05:27 <+pekster> !topsecret 05:27 <@vpnHelper> "topsecret" is if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. 05:27 < Minnebo> !route 05:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 05:28 < Minnebo> !tcpip 05:28 <+pekster> Really your config has nothing to identify you beyond your commented out local IP anyway (and you can just remove comments if you'd like, or even mask your public IP if it wasn't commented. masking isn't preferred, but if you do it in a limited fashion no one usually minds much) 05:28 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 05:29 <+pekster> blackness-: A better way to do that is to use a match like -i $iface -p tcp --dport 1234 -j whitelist 05:29 <+pekster> Of course, you need to create a 'whitelist' chain first 05:29 <+pekster> Then just add rules there mathcing -s $ip1 -j ACCEPT 05:29 <+pekster> $ip2, etc, etc 05:29 <+pekster> But ipset is faster to do that if you have dozens, hundreds, or even thousands of IPs to do that with 05:31 < Minnebo> what is the difference between push "route 192..." and just route 192... 05:32 <+pekster> The push sends it to the client (assuming it specifies 'pull' or 'client' in its config) while the route command adds a route to the system where that config is at 05:32 < Minnebo> I think that is the problem no? 05:32 < blackness-> oh its just 4 IPs..my known IPs infact. 05:33 < Minnebo> my server has no route to answer? 05:34 <+pekster> Minnebo: What? You're pushing a route to the IP/netwnork your server is already on 05:34 <+pekster> What are you trying to do? Just route to 192.168.100.1/32 via the VPN? If the server alreaady owns that IP, you just need to push the /32 route and you're done 05:35 < Minnebo> I have: push "route 192.168.100.1/32 255.255.255.0" 05:35 < Minnebo> but should I add 05:35 < Minnebo> route 10.8.0.0 255.255.255.0 in the server config? 05:35 < fu_fu> does OpenVPN offer paid professional support? 05:35 <+pekster> You can't use CIDR 05:36 <+pekster> 192.168.100.1 255.255.255.255 05:36 <+pekster> That's a /32 host netmask 05:36 <+pekster> !cidr 05:36 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html 05:36 <+rob0> fu_fu, I think they do, look at their web page. It might only be for OpenVPN Access Server, however. 05:36 < Minnebo> from the server I cannot ping to my client 05:36 < Minnebo> so it has no route i think 05:36 < Minnebo> :p 05:36 <+pekster> How are you trying to ping it? Via VPN IP? 05:37 < Minnebo> local 05:37 < Minnebo> no yes 05:37 < Minnebo> the dhcp ip I get from the openvpn 05:37 <+pekster> Then it's your firewall that's a problem 05:37 < Minnebo> damn 05:38 <+pekster> You don't usually need to ping the client from the server to get access to resources on the server that the client initiates. Not if your firewall is set up in a sane way 05:38 < Minnebo> i'll test an fwd-accept-all 05:39 <+pekster> Let me put it this way: if you can ping from client to whatever server-side IP you want and verify (via tcpdump or wireshark or whatever) that it's actually going across the VPN tunnel, then anything else after that is your firewall config 05:39 <+pekster> If you can't ping your target, you either have a routing or firewall problem 05:44 -!- Inst [blackfores@unaffiliated/inst] has joined #openvpn 05:44 < Inst> hi! 05:44 < Inst> <# 05:44 < Inst> http://community.openvpn.net/openvpn/wiki/TrafficObfuscation 05:44 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net) 05:45 < blackness-> what about it? 05:46 < Inst> just wondering if anyone has any experience with it 05:46 < holmen> !cidr 05:46 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html 05:46 -!- Inst [blackfores@unaffiliated/inst] has left #openvpn ["Leaving"] 05:46 -!- bakery [~qjkh@124.248.205.28] has joined #openvpn 05:48 < bakery> oh, hey, it appears the gov manually blocked my IP 05:48 * bakery facepalms 05:50 <+pekster> heh. You're "interesting" now :P 05:50 <+pekster> Lousy cencorship :( 05:51 < bakery> they did this to me twice 05:51 < bakery> i'm wondering if my VPS providers are going to start bitching at me because I get their expensive IPs blocked 05:54 < Minnebo> pekster, 05:54 < Minnebo> my fucking god :D 05:54 < Minnebo> i open internet 05:55 < Minnebo> and navigate to 192.168.100.1 and I get an interface of a modem O_o 05:55 < Minnebo> :D 05:55 < Minnebo> i'll test this at home again 05:55 <+pekster> Told you it was probably an upstream IP that was another 192.168.100.1 05:55 <+pekster> RFC1918 lets anyone use the private IP space for any purpose 05:56 < Minnebo> but i dont get it, my route says to use another gw 05:56 < Minnebo> then why does he still reach this modem page: p 05:56 <+pekster> That's why I said to trace the ping from the client to make sure it's going over the right interface 05:56 <+pekster> If it doesn't your routing is screwed up 05:57 -!- bakedin [SouthOfThe@216.131.64.53] has joined #openvpn 05:57 <+pekster> If it does, then follow the packet to make sure it's getting to the peer at the other end of the tunnel 05:57 < Minnebo> with wireshark 05:57 <+pekster> Sure 05:57 < Minnebo> k 05:57 -!- bakery [~qjkh@124.248.205.28] has quit [Ping timeout: 260 seconds] 05:57 < Minnebo> well gtg now visit some customers i'll look at this again tonight! 05:58 < Minnebo> thx for your help 06:02 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Quit: Changing server] 06:02 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 06:02 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 260 seconds] 06:23 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Quit: leaving] 06:26 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 06:27 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 06:46 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 06:50 -!- bakedin [SouthOfThe@216.131.64.53] has quit [Ping timeout: 252 seconds] 06:50 -!- blackness- [black@199.175.53.115] has quit [Ping timeout: 264 seconds] 06:50 -!- bakery [blackfores@216.131.70.179] has joined #openvpn 06:53 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 245 seconds] 06:55 -!- bakery [blackfores@216.131.70.179] has quit [Ping timeout: 245 seconds] 06:56 -!- bakery [~qjkh@124.248.205.28] has joined #openvpn 06:56 -!- tuxick [~userMurf@tuxick.xs4all.nl] has joined #openvpn 06:56 < tuxick> lo 06:56 <@ecrist> good morning 06:56 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 06:57 < tuxick> on ubuntu trying to use update-resolv-conf, but getting "Failed running command ( --up/--down): could not execute external program" 06:57 < tuxick> without any clue/explanation. script is executable of course 06:57 <@ecrist> so, the update-resolv-conf script isn't working 06:57 < tuxick> it lacks some verbosity :) 06:57 <@ecrist> have you tried executing it as the user you run the openvpn process as? 06:58 < tuxick> starting it as root 06:58 <@ecrist> let me see your config 06:58 < tuxick> added an 'echo FOO' to that script, i only see that echo when i run ./update-resolv-conf 06:59 < tuxick> well, config works, except the "up /etc/openvpn/update-resolv-conf" bit 06:59 <@ecrist> config, please 06:59 <@ecrist> also, an ls -l update-resolv-conf 07:00 < tuxick> world executable 07:00 < tuxick> sec for config 07:00 <@ecrist> I'd like to see the output, please 07:01 < tuxick> -rwxr-xr-x 07:01 <@ecrist> you're not very good at following directions 07:02 < tuxick> it's on my netbook, which is busy, paste will take a bit 07:02 <@ecrist> meh, I've got other things to do 07:04 < tuxick> i'll doublecheck when system update is done :) 07:07 -!- blackness- [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 07:07 -!- blackness- [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Client Quit] 07:08 -!- bauruine [~stefan@91.236.116.112] has quit [Quit: Leaving] 07:39 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 07:57 -!- sukosevato [sukosevato@a202101.upc-a.chello.nl] has joined #openvpn 08:33 -!- gustavoz [~gustavoz@host212.200-82-114.telecom.net.ar] has joined #openvpn 08:34 < gustavoz> hi, a quick question i couldn't find a quick answer to, are non-ipv6 builds deprecated for 2.3+ ? 08:38 < plaisthos> gustavoz: there are no non ipv6 builds 08:39 < gustavoz> plaisthos: ok thanks, then i guess the answer is yes :) 08:39 < plaisthos> basically 2.2 had no or only limited ipv6 support and 2.3 has ipv6 support 08:40 < gustavoz> exactly, i could build 2.2.x on a non-ipv6 enabled toolchain, but on 2.3 that option is missing 08:40 < plaisthos> gustavoz: You have not ipv6 enabled toolchain? 08:41 < gustavoz> plaisthos: sure, on buildroot we give that option when possible, that's the reason for my question, at the moment it doesn't seem possible without patching around, probably a lot 08:42 < plaisthos> gustavoz: what is that? SunOS 4.x? 08:42 < gustavoz> plaisthos: a tool for building embedded linux root filesystems / firmwares / whatever 08:43 < plaisthos> gustavoz: but these still have the ipv6 library functions 08:43 < gustavoz> plaisthos: on uClibc not necessarily 08:43 < plaisthos> not ipv6 enabled toolchain I would except to miss functions like getaddrinfo 08:43 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has quit [Quit: Orbi] 08:44 < gustavoz> since it's tailored to be really small when the libc is configured for non-ipv6 builds some structures are missing too 08:44 < gustavoz> for instance in6_pktinfo 08:45 < gustavoz> s/instance/example/ :) 08:46 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 08:48 < plaisthos> Yeah. There is no ipv4 only version of openvpn in 2.3 08:48 < plaisthos> time to move on ;) 08:48 < gustavoz> cool, thanks, i'm not about to bitch about it, just wanted to know :) 08:49 < gustavoz> the option is given when possible, there are no guarantees for future versions 08:49 < gustavoz> it's not like you can build Qt without a full C++ toolchain for example 08:55 * tuxick mumbles about addrinfo 08:55 < plaisthos> tuxick: ?! 08:57 <+pekster> gustavoz: IPv6 should work fine on ulibc; OpenWRT uses that on its backend and supports IPv6 08:58 <+pekster> Maybe that project can offer hints as to the linking required for OpenVPN to build against it? I haven't looked at the kernel code on recent OpenWRT versions to see if they had to make adjustments or not, but it sounds like it's doable. If OpenVPN won't build cleanly, I'm sure patches or discussion on the dev mailing list would be appreciated 08:58 < tuxick> plaisthos: nevermind :) 09:00 < gustavoz> pekster: yes that's true, it's just that buildroot is more option-Y for the toolchain than openwrt 09:00 <+pekster> Sure. And if your buildroot lacks support you have lower-level issues to fix first 09:00 <+pekster> I'm just suggesting a place to start if you want to see how a project has managed ulibc in particular with IPv6 given that they're both targeted to embedded systems 09:01 < gustavoz> it's just a matter of accounting for it in Kconfig, hence my question if it's intended or just broken 09:01 <+pekster> Sure 09:02 < gustavoz> i'm all for ipv6 support by default, just covering my ass so to speak when some freaky asks about why 09:02 <+pekster> "Because IPv4 is busted" is a nice answer ;) 09:03 <+pekster> IMO it's foolish to design or publish a system thesedays without IPv6 support available. Maybe not active if you're part of the large IPv4-only Internet still, but the age is coming to an end ;) 09:03 < gustavoz> it's like the non-crypto option being gone (!openssl & !polarssl), it's a damn vpn package, you WANT crypto 09:03 <+pekster> Right. GRE or IPIP is for tunneling without crypto :P 09:04 * pekster is greatly looking forward to the day when everything is more or less globally uniquely identifiable. It'll be just like the 1980's all over again :D 09:05 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:09 < gustavoz> heh, i wish my ISP would have IPv6 connectivity, it's like the dark ages here 09:09 < plaisthos> gustavoz: don't wish for it 09:09 < plaisthos> one provider here now gives its customers IPv6 because they are running out of IPv4 09:09 < plaisthos> and you get Dualstack lite 09:13 < gustavoz> ouch! 09:15 < tuxick> when i requested a /64 for office ISP told me they could only give me 64 addresses 09:16 < tuxick> assuming i had some sales clown on phone, but it turned out correct 09:16 <+pekster> wow, that's nuts 09:16 < tuxick> "sorry that's all we can do now" 09:16 <+pekster> The recommendation is a /64 or even a /58 for *residential* netwnorks 09:16 < tuxick> i have native /64 for my home dsl :) 09:16 <+pekster> And larger for offices 09:16 < tuxick> ye 09:17 <+pekster> One thing I'm hoping we don't see is segregated tiers of IPv6 "service" where the lower tiers just give you a handful of IPs for home devices (say a /120 or something) and they have you pay a "premium" for proper IPv6 access 09:18 <+rob0> We WILL see. Greed, ignorance and incompetence are the rule. 09:18 < tuxick> idd 09:18 <+hazardous> my isp gives /56 09:19 <+pekster> One of the "good guys" then 09:19 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 09:25 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds] 09:27 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 09:31 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 09:31 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 09:35 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:42 -!- cornfeed [~cornfeed@unaffiliated/cornfeed] has left #openvpn ["Once you know what it is you want to be true, instinct is a very useful device for enabling you to know that it is"] 09:53 < plaisthos> tuxick: 64 addresses?! 09:53 <+hazardous> pekster: rdns too! and static ips! and v4 subnets! and symmetrical 09:53 <+hazardous> this has made me hate normal 'big monopoly' isps so much 09:54 < tuxick> plaisthos: ye, i was convinced some sales manager misunderstood the 64 bit 09:56 <+hazardous> 07:16:00 < tuxick> assuming i had some sales clown on phone, but it turned out correct 09:56 <+hazardous> i've had some sales guy at comcast tell me each ipv6 was subject to the same $5/IP/month charge for static ipv6 single addresses 09:57 < tuxick> haha 09:58 <+rob0> And Comcast is among the ipv6 leaders. In the organization they probably do have ipv6 clue. But the suits run the show, and they're going to milk every possible penny out of it. 10:01 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 10:01 < plaisthos> tuxick: that sound like a mixup between /64 and 64 ips and then someone forced the technicans to really do 64 ips 10:02 <+pekster> $5/ip/mo? haha 10:03 < tuxick> no, in the end i got someone on phone who explained they just didn't have the right hardware yet 10:03 <+pekster> python tells me: >>> 2**64*5 10:03 <+pekster> 92233720368547758080 10:03 <+pekster> Imagine them sending you a bill for that :P 10:03 < tuxick> but maybe that was a poor tech just covering for management idiots 10:03 <+pekster> Plus your monthly service cost :P 10:22 -!- master_of_master [~master_of@p57B54C0D.dip.t-dialin.net] has quit [Ping timeout: 276 seconds] 10:24 -!- Porkepix_ [~Porkepix@ppp-seco11pa2-46-193-142.4.wb.wifirst.net] has joined #openvpn 10:24 -!- master_of_master [~master_of@p57B52905.dip.t-dialin.net] has joined #openvpn 10:24 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:25 -!- Porkepi__ [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 10:25 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 248 seconds] 10:25 -!- Porkepi__ is now known as Porkepix 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds] 10:28 -!- Porkepix_ [~Porkepix@ppp-seco11pa2-46-193-142.4.wb.wifirst.net] has quit [Ping timeout: 255 seconds] 10:29 -!- gustavoz [~gustavoz@host212.200-82-114.telecom.net.ar] has quit [Quit: Leaving] 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:32 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 264 seconds] 10:48 < genghi1> hi… I noticed that when using learn-address, the $3 parameter is not preserved when a client is disconnecting, only connecting. Is that a known issue? 10:50 <+pekster> genghi1: That's intended behaviour according to the manpage. What's your use-case for wanting it on a delete action? 10:54 < genghi1> well… I can certainly do without it, but it would just make my iptables management easier if it was there 10:54 < genghi1> it is not really a problem for me 10:54 < genghi1> I was inserting the cn name into the comments for the rules 10:55 <+pekster> Why do you need to care about the comment when deleting them? 10:55 < genghi1> I was deleting them the lazy way by matching the rule itself and not the rule number. 10:55 < genghi1> that requires matching the comment too 10:55 -!- bakedin [~qjkh@111.192.134.20] has joined #openvpn 10:56 <+pekster> Oh. Well, don't use a comment then? :) 10:56 -!- bakery [~qjkh@124.248.205.28] has quit [Ping timeout: 260 seconds] 10:57 <+pekster> Or use a creative scripting solution to store it in a temp file and reference it by IP. I'd just do without it personally 10:57 < genghi1> heh, I'll add a comment but use awk or something to re-process the rules to delete them by rule number 10:57 < genghi1> no biggie 11:00 -!- bakedin [~qjkh@111.192.134.20] has quit [Ping timeout: 245 seconds] 11:02 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 11:03 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 11:04 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 264 seconds] 11:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 276 seconds] 11:09 < con3x> Woo, finally solved my problem 11:10 -!- raidz_away is now known as raidz 11:10 < con3x> Apparently I needed to add "route-nopull" to my config and just configure all my routes automatically 11:11 < con3x> /s/automatically/manually 11:12 <+pekster> Well, it's automatic after you manually script it :P 11:14 < con3x> Yeah :) I wrote a python script to do the DNS lookups :P need to do some packet inspection to see what pandora and hulu talk to now. 11:15 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 11:15 < fu_fu> hi 11:15 < con3x> hi fu_fu. 11:17 < fu_fu> can "—ping-exit n" be used in the current version? and can it be used on the client side, or was it replaced "keepalive"? should keepalive be used on the client side? 11:17 < fu_fu> ^^ i mean —ping-restart 11:18 < fu_fu> from the manpage it looks like keepalive is the new way to do it, maybe i just need to know if you have to put it on both sides 11:20 <+pekster> fu_fu: --ping needs to be on the opposite side from a --ping-restart or --ping-exit option 11:21 <+pekster> --keepalive is just a helper-directive to set both at once with values as described in the manpage; it's a helper-directive that expands to others 11:21 < fu_fu> thx for the clarification 12:25 -!- b1rkh0ff [~b1rkh0ff@178.77.8.47] has quit [Ping timeout: 252 seconds] 12:32 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has joined #openvpn 12:38 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has joined #openvpn 12:48 -!- nutron|w [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 13:03 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 13:06 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 13:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 13:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 13:31 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 13:50 -!- pelle2 [~p@178-132-78-93.cust.azirevpn.net] has quit [Ping timeout: 276 seconds] 13:51 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has quit [Changing host] 13:51 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 13:51 -!- mode/#openvpn [+o novaflash] by ChanServ 13:59 -!- deed02392 is now known as Daedy 14:01 -!- Orbi [~opera@anon-186-110.vpn.ipredator.se] has left #openvpn [] 14:09 <+hazardous> goodbye orbi. 14:24 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 14:26 -!- sukosevato is now known as Cpt-Oblivious 14:36 -!- genghi1 [~Adium@p5089BF98.dip.t-dialin.net] has quit [Quit: Leaving.] 14:45 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 15:13 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:23 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:25 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 15:35 -!- pekster [~rewt@openvpn/user/pekster] has quit [Ping timeout: 255 seconds] 15:35 -!- pekster [~rewt@openvpn/user/pekster] has joined #openvpn 15:35 -!- mode/#openvpn [+v pekster] by ChanServ 15:37 -!- nutron|w [~nutron@24.67.96.21] has joined #openvpn 15:38 -!- nutron|w [~nutron@24.67.96.21] has quit [Changing host] 15:38 -!- nutron|w [~nutron@unaffiliated/nutron] has joined #openvpn 15:41 -!- nutron is now known as Guest25591 15:44 -!- nutron|w is now known as nutron 15:51 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Quit: HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)] 15:52 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 15:52 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 15:56 < dioz> for server bridge 15:56 < dioz> in the instance there is only one client 15:56 < dioz> and one ip in the ``pool'' 15:57 < dioz> can i use server-bridge 10.8.0.4 255.255.255.0 10.8.0.4 10.8.0.4 16:14 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:28 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has joined #openvpn 16:59 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:01 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 17:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:18 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:18 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 17:18 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 17:22 -!- Azrael808 [~peter@cpc17-walt12-2-0-cust657.13-2.cable.virginmedia.com] has quit [Ping timeout: 245 seconds] 17:37 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 17:40 -!- blackness [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 17:40 < blackness> to set a list of IPs for the allowed connection, should i allow * via the program and filter iptables or the other way around? 17:41 <+hazardous> why not both? 17:41 -!- MagisterQuis [~MagisterQ@unaffiliated/kd5pbo] has left #openvpn [] 17:41 < blackness> little wasteful don'tcha think? 17:42 < blackness> plus does the .conf accept CIDR settings? 17:55 -!- ddaydj [~ddaydj@rrcs-66-91-144-147.west.biz.rr.com] has joined #openvpn 17:57 < ddaydj> hello. so is there a trick to get the community client to push routes on windows without running as admin? 17:59 < ddaydj> i can connect to the vpn with the community client, but no routes unless i run as admin. i've used the access server client with another vpn and that pushes routes, but for some reason, i can't connect to this new vpn server i setup with that client 18:03 < blackness> what about disabling ACL's? 18:03 < blackness> or set the program to run as admin by default? 18:07 < ddaydj> that would still require an admin password that the user won't have 18:08 < blackness> no it wont, you add the program into the ACL..unless you have some weird setup..only time i use windows is when i fix others computers lol. 18:10 < ddaydj> i'm not sure how well that will work. i'll look into it tho 18:10 < ddaydj> some of the client computers will not be ones that are adminstrated by other companies so i'm not sure how they'll like that idea 18:11 < ngharo> i'd setup the VPN on a gateway then 18:11 < ddaydj> the server? or the client? 18:12 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has quit [Ping timeout: 248 seconds] 18:12 < ngharo> client 18:12 < ddaydj> like set it as the default gateway on the workstation? 18:12 < ngharo> like connect the default gateway up to your vpn server 18:13 < ddaydj> that's not an option. my clients are going to be laptops at people's home and workstations inside vendors' networks 18:14 < ngharo> i see 18:14 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 18:15 < ngharo> http://openvpn.net/index.php/open-source/documentation/install.html?start=1 18:15 <@vpnHelper> Title: Installation Notes - Installation (Win32) (at openvpn.net) 18:15 < ngharo> describes running openvpn as a service 18:16 < ddaydj> i'm familiar with doing that, but that's an always on thing. limited users accounts can't start and stop services 18:17 -!- Cpt-Oblivious [sukosevato@a202101.upc-a.chello.nl] has quit [] 18:17 < ddaydj> in the case of the access server client, it has a service installed which i think is what it uses to push the routes when connecting from a limited user account 18:17 < ddaydj> afk for a minute 18:22 < ddaydj> so can you guys help with troubleshooting the access server client? or is that the other channel? 18:29 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Read error: Operation timed out] 18:29 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 18:41 -!- ddaydj [~ddaydj@rrcs-66-91-144-147.west.biz.rr.com] has quit [] 18:45 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 18:52 -!- ikonia [~irc@unaffiliated/ikonia] has quit [Read error: Operation timed out] 18:52 -!- ikonia [~irc@unaffiliated/ikonia] has joined #openvpn 19:12 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 19:31 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 19:54 < ngharo> !as 19:54 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 19:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:57 -!- raidz is now known as raidz_away 20:06 -!- p3rror [~mezgani@2001:0:53aa:64c:2cea:7a37:d673:480f] has joined #openvpn 20:11 -!- holmen_ [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 20:14 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 20:17 -!- EugeneKay [eugene@go-without.me] has quit [Remote host closed the connection] 20:18 -!- EugeneKay [eugene@go-without.me] has joined #openvpn 20:36 <+dvl> http://dan.langille.org/2013/01/15/how-not-to-order-ram-for-your-motherboard/ 20:53 < EugeneKay> I've done that. 20:56 -!- p3rror [~mezgani@2001:0:53aa:64c:2cea:7a37:d673:480f] has quit [Ping timeout: 260 seconds] 21:55 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 21:56 < kunji> !welcome 21:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:56 < kunji> !goal 21:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:56 < kunji> !howto 21:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:58 < kunji> !route 21:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for more info about a more basic networking guide 21:59 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has quit [Quit: Leaving.] 23:26 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 23:28 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 23:50 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 23:52 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 246 seconds] 23:55 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 23:58 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 245 seconds] --- Day changed Wed Jan 16 2013 00:06 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:09 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 248 seconds] 00:30 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:32 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 248 seconds] 00:33 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:35 -!- arekm [~arekm@pld-linux/arekm] has quit [Read error: Connection reset by peer] 00:35 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 252 seconds] 00:38 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:40 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 00:41 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 255 seconds] 00:43 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:44 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 246 seconds] 00:47 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:47 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 00:48 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 00:49 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds] 00:51 -!- Orbi [~opera@109.129.7.235] has joined #openvpn 00:56 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 00:58 -!- Orbi [~opera@109.129.7.235] has quit [Ping timeout: 245 seconds] 00:59 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds] 00:59 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 01:00 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 01:01 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 01:17 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 01:20 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 255 seconds] 01:28 -!- UberDuper [~UberDuper@wsip-174-77-66-158.ph.ph.cox.net] has quit [Read error: Connection reset by peer] 01:28 -!- UberDuper [~UberDuper@wsip-174-77-66-158.ph.ph.cox.net] has joined #openvpn 01:38 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 01:44 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 01:51 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 01:52 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has joined #openvpn 01:57 -!- ade_b [~Ade@109.58.215.97.bredband.tre.se] has joined #openvpn 01:57 -!- ade_b [~Ade@109.58.215.97.bredband.tre.se] has quit [Changing host] 01:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:02 -!- tuxick [~userMurf@tuxick.xs4all.nl] has left #openvpn [] 02:04 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 245 seconds] 02:05 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 02:07 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 02:07 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 02:11 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 02:12 < joako> Is there any way I can fully intergrate the OpenVPN client with Windows, so the user doesn´t need to type their password twice? 02:15 <+pekster> joako: Not really. You might be able to use some creative PKCS11 (ie: smart card) sceniaro if you're already using smartcards to log users in locally 02:16 < joako> What if I set it up with certificates only? Could I issue the certificates automatically through Windows and load the CA into OpenVPN server? 02:17 <+pekster> Optionally, you could store the required password somewhere that uses whatever programming APIs Windows gives you to decrypt it and pass it back on the management interface. An inferior version of that approach is to store the password in plaintext inside an EFS or bitlocker-protected folder, but that's usually a bad idea since any malware would have access to the decrypted version 02:17 <+pekster> joako: Same problem, basically, unless you're willing to keep unencrypted private keys on the laptop (which is trivial for an attacker who knows what they're doing to swipe from a non-disk-encrypted PC in just a couple of minute) 02:17 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn 02:18 <+pekster> Traditionally, you encrypt the private key so such compromise as I noted above doesn't occur due to exposure of the key file 02:21 < joako_> I don´t know how Windows handles storing the certificates -- and quite frankly I don´t care. Could OpenVPN use the certificates stored in Windows directly? 02:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds] 02:22 <+pekster> No 02:23 <+pekster> OpenVPN does not use the "Certificate Manager" keystore 02:23 <+pekster> It supports only keypairs via flat-files and PKCS11 providers 02:27 < joako_> Actually I am reading here and it does appear possible. The only issue would be to generate a cryptoapicert that would be universal to all machines 02:28 < kunji> joako: mind linking what you're reading? 02:28 <+pekster> joako_: Oh, I stand corrected. See the --cryptoapicert option in the manpage 02:29 < joako_> 1) http://serverfault.com/questions/38528/openvpn-with-a-windows-certificate-services-pki 2) http://www.mentby.com/Group/openvpn-users/cryptoapicert-and-windows-7.html etc 02:29 <@vpnHelper> Title: vpn - OpenVPN with a Windows Certificate Services PKI - Server Fault (at serverfault.com) 02:31 <+pekster> joako_: So, you can import the pkcs12 file containing both keys. I don't know what you're going on about generating a universal cert, because that doesn't appear to be required or something you'd want in such a setup 02:32 < joako_> pekster: No I would deploy the certificate through Windows autoenrollment but I would need the OpenVPN configuration to be idential for every machine so I don´t need to manage that 02:33 <+pekster> That gets a little messy, because *all* certs signed by the CA (even the ones for computer$ accounts, etc) will be seen as valid accounts. Additionally, since you presumably don't generate CRLs every time you un-join a computer or remove an AD user, old keypairs from terminated employees would be valid VPN credentials 02:33 <+pekster> You could do some magic on the server-side I suppose via ccd files or using the key subject or fingerprint or something, but that sounds like a lot of work on your end to code that 02:34 <+pekster> Maybe you can get Windows auto-enrollment to use a special CA with a PKI specifically for VPN access, but you still need to deal with revocation or otherwise verifying a cert belongs to an active user that should have access 02:35 <+pekster> I have very limited experience with server-side certificate services in AD 02:38 <+pekster> joako_: Oh, and see the note in your 2nd link too about the scope of the program execution; normal users (even when they are "administrators") under UAC can't add routes, so OpenVPN runs as the actual 'administrator' user. Choices to get around that are 1) disable UAC or 2) as the reply there suggests, add the keypair to the 'administrator' keystore on the PC, not the user keystore (which probably screws up your auto-enrollment options) 02:38 <+pekster> How's that for some required reading? ;) 02:40 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 02:43 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 02:43 < kunji1> Hmm, I don't know the application here exactly, but would it be acceptable to just not use passwords? Windows will be doing your security, so if they can login then they can get on the VPN right? So then, why not just use certs without passwords? I'm new to VPN, so.. don't bash this noob too hard :P 02:43 <+pekster> kunji1: What do you mean "windows will be doing your security" ? 02:44 <+pekster> You either need to auth users by --auth-user-pass-verify or by X509 02:45 <+pekster> Yes, you can use X509 via PKCS11 or the cryptoapicert features, but I just identified all the compilicating factors with the cryptoapicert features on recent (>=Vista) versions 02:46 <+pekster> kunji1: Unless you mean leave the key unencrypted on the hard disk. Ask your friendly neighborhood hacker you trust to show you how fast they can pull files off your hard disk some time ;) 02:47 <+pekster> (malware is also a threat, even if you do bitlocker encryption of your disk, so no trying to squirm out on that technicality either) 02:47 <+pekster> Java 0-day anyone? ;) 02:48 < kunji1> pekster: mind going through the standard process real quick for me then? I was likening it to passwordless ssh setup in my head, but that may not be applicable here. 02:49 < joako_> So then OpenVPN is not secure? 02:50 < kunji1> joako_: It's secure, unless you really botch your config. 02:51 < joako_> kunji1: I currently have a standard config and the keys are just stored on my hard drive 02:53 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 02:53 < kunji1> joako_: Well, thing about that is as, pekster was saying, is that the security is only as good as that of your OS in that situation. 02:56 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 03:00 <+pekster> kunji1: you mean pubkey ssh auth? OpenVPN's X509 support is exactly like that, except it uses X509 for deligating trust 03:00 <+pekster> CryptoAPI just keep the plaintext cert in the keystore and encrypts it itself 03:01 <+pekster> It's a fine way to store it (provided you trust the encryption and SSO scheme it uses) but the issue is generating it automatically to the keystore and calling it for OpenVPN 03:01 < kunji1> pekster: Hmm, so you're fine as long as your files are secure, of course this becomes much harder as soon as we're not just talking about my files, but everyone at a company... and on windows as well. 03:02 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:02 <+pekster> kunji1: What are you going on about? Yes, files can be stolen a variety of ways, even more so from unencrypted disks. This is why your ssh private key is encrypted with a passphrase, and so should your on-disk OpenVPN keys 03:04 < kunji1> pekster: I'm referring to the case where you need to automate ssh communication between servers. 03:05 <+pekster> Then yes, if you're doing that non-interactively you need to store unencrypted keys somewhere, or store the decryption password in plaintext somewhere (not really any better) 03:06 <+pekster> Hopefully people doing that have hardened their systems as possible and limited the ssh key usage on the remote end to the specific command that it needs to perform (as is the recommendation) 03:13 < kunji1> pekster: Yes indeed, that's something I'm much more familiar with than vpn. Hmm, ... the openvpn documentation could really have been more explicit about that, it's mentioned in a pretty nonchalant manner (about passwords). Same for the Ubuntu documentation on installing openvpn.... I don't think that mentions it at all. 03:13 <+pekster> Same with ssh, if you get down to it. If you're handling private keys or pkcs12 files, you presumably know whwat you're doing 03:14 <+pekster> It's rare to find an average user who knows how to use 'openssl rsa' commands that is completely ignorant of what they're doing 03:16 -!- Castorrr [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [] 03:33 < kunji1> pekster: .. so I'm still missing the part where we decided RAM is so secure if the HD isn't... 03:36 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:37 -!- joako_ [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds] 03:37 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 03:43 <+pekster> kunji1: RAM can't be (easily) attacked offline 03:44 <+pekster> If you power off, the RAM is dead. The encrypted cert is save, provided it's encrypted such that brute-force is non-trivial 03:44 <+pekster> Boom. Next security problem? 03:45 <+pekster> (and honestly, if you're worried about someone flash-freezing your DRAM chips, you should keep your laptop on you at all times and a loaded firearm in your hand) 03:45 <+pekster> !shotgun 03:45 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 03:45 < kunji1> Of course, I was assuming online, offline is possible, but as you say, it's nontrivial. 03:45 <+pekster> keys aren't kept in RAM unless you specify --persist-key 03:45 <+pekster> They're re-read from disk each tiem they're required 03:46 <+pekster> (session keys are of course in RAM, but those rotate hourly by default) 03:48 < kunji1> Hmm, they're read into RAM though right, when required, and then that RAM is freed or overwritten? 03:52 < con3x> What is a good channel to ask a question about kernel routes. Some of my routes seem to be ignored and the default route is taken. 03:53 < con3x> I'm sure the routes are set up correctly and they appear to work in some cases, enough to start watching a video on netflix. 03:53 < kunji1> ##networking is a good place to ask, make sure to post your routes for them, and what ones seem to be ignored. 03:53 < con3x> Thanks :) 03:56 -!- Minnebo [~Minnebo@78-20-135-159.access.telenet.be] has joined #openvpn 04:01 < kunji1> pekster: Shotgun approach is nice :P About the flash freezing, well there's easier ways to get at the RAM, it does need to be an initially powered on system (assume locked or whatnot), but depending on exactly what hardware it is (and even the luck of manufacturing tolerances really) it can be possible to reboot the machine and get a good dump of the RAM contents to say a USB. This is of course typically easy to stop by not having the c 04:02 <+pekster> Sure. I'm unclear how this has to do with not storing your plaintext key on a disk somewhere 04:02 -!- joako_ [~joako@99-153-161-249.lightspeed.miamfl.sbcglobal.net] has joined #openvpn 04:02 -!- joako_ [~joako@99-153-161-249.lightspeed.miamfl.sbcglobal.net] has quit [Changing host] 04:02 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn 04:02 <+pekster> OpenVPn can't protect you from RAM-reading attacks (online or offline.) OpenVPN can leverage openssl's ability to decrypt RSA keys on the fly, however 04:04 -!- Minnebo_ [~Minnebo@78-20-132-224.access.telenet.be] has joined #openvpn 04:04 -!- Minnebo [~Minnebo@78-20-135-159.access.telenet.be] has quit [Ping timeout: 240 seconds] 04:04 <+pekster> It's the difference between leaving your housekey on top of your doormat and putting it in one of those locked key boxes for the realitor to access 04:04 <+pekster> Pick how you want to secure access to your network ;) 04:05 < kunji1> pekster: It doesn't at this point, not precisely. I was tending towards saying that RAM and HD security is not terribly different, but I suppose I see the point in the case of say theft or misplacement of devices. 04:06 -!- Minnebo__ [~Minnebo@78-20-132-224.access.telenet.be] has joined #openvpn 04:06 <+pekster> Or a java 0-day that breaks out of its sandbox and copys your c:\secret\my-unencrypted-key.key file to a dropbox account 04:06 < kunji1> Hmm, I like the analogy :P, can't I take my key with me T.T 04:06 <+pekster> That's much less bad than if your key was encrypted 04:06 <+pekster> w/than if/when/ 04:07 <+pekster> s@w/@s/@ 04:07 <+pekster> :( 04:07 <+pekster> Stealing files isn't just for physical theft anymore! ;) 04:08 * Wintereise steals pekster. 04:08 <+pekster> I'd better revoke my certificate and publish a CRL for myself :P 04:08 < kunji1> Yeah, I need to sleep... that's what I'm going to blame for whenever I say something stupid in here (it is 5 A.M. where I am). 04:08 < Wintereise> :x 04:09 -!- Minnebo_ [~Minnebo@78-20-132-224.access.telenet.be] has quit [Ping timeout: 245 seconds] 04:09 < con3x> Got no response in #networking :( so: 04:09 < con3x> Hello there, I'm having a small problem with routes, I'm trying 04:09 < con3x> to route certain ip addresses through an OpenVPN server, but 04:09 < con3x> some aren't actually passing through and are just going out over 04:09 < con3x> the default gateway; here is the output of ip route show: 04:09 < con3x> http://pastebin.com/z0KtdEAW. Can anybody see and problems with 04:09 < kunji1> I've heard enough about CRL..... stupid vehicular networks 04:10 <+pekster> protip: space after your URLs 04:10 <+pekster> (many consoles like to select-by-word and include them) 04:11 < con3x> I'll keep that in mind :) 04:11 <+pekster> So what, a destination matching one of those routes isn't sent across tun0, I presume? 04:11 < kunji1> Yeah, I never know what to do about the end of the sentence when that happens, usually I end up just leaving out the period altogether. 04:11 <+pekster> Example: http://google.com . More sample info about google goes here 04:11 <@vpnHelper> Title: Google (at google.com) 04:12 < con3x> http://pastebin.com/z0KtdEAW 04:12 <+pekster> Got it ;) 04:12 <+pekster> So, my question? 04:13 < con3x> Yeah, instead it just goes over a default route (if I run traceroute) 04:13 < con3x> I'll run one just now 04:13 <+pekster> Can you verify 'ip route get $target_ip' shows the tun0 exit/src? 04:14 < kunji1> Yeah, pekster, that's what I was asking about the other day, couldn't I just make all the traffic go over the vpn by setting the appropriate routes? 04:14 <+pekster> kunji1: If you can route by destination IP, yes. I forget what your specific issue was 04:14 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 04:16 < con3x> I think I may have just solved my own problem 04:18 < con3x> Its going out over the WAN, but the IP's seem to be different when I resolve them in python than when I run a traceroute 04:19 <+pekster> round-robbin or low-TTL values will do that; don't rely on DNS in such cases 04:19 <+pekster> (or even a high TTL if the value changes between when you resolve it and the client does so again later) 04:19 <+pekster> IP-based route overrides are the wrong way to do web filtering, if that's your goal 04:21 < con3x> Just trying to get around localization guards for netflix. 04:22 <+pekster> Web proxy too hard? 04:23 <+pekster> I *think* silverlight respects the browser proxy setting (it'd have to for locations that require a proxy for outbound Internet access at the very least) 04:24 < con3x> Won't work on all the devices in the network :) also I want it to selectivly route so the video images etc come off the CDN 04:25 < kunji1> pekster: Hmm, well I was trying to setup a bridged connection to that effect. I was able to try it today outside my network, and it wasn't working... It would connect with no errors, but no traffic was going over the vpn. Tried it again when I got home, but at that point I was inside my network again... so I don't think the return routing for packets was correct for when I'm connecting outside of my network. So I think I needed to add 04:25 <+pekster> Remind me again why you don't just use tun? 04:27 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer] 04:28 -!- Minnebo__ [~Minnebo@78-20-132-224.access.telenet.be] has quit [Ping timeout: 252 seconds] 04:29 < kunji1> pekster: games, though we were considering a 2 daemon solution, but I'm not sure if it's accessing even the server right now, let alone the internet. That is, it would claim to connect fine, but I'm not able to ping the server or any other machines on the LAN. I've changed some settings, so I'm going to try again tomorrow, and if that doesn't work I'll be bringing the logs etc.. 04:30 < con3x> Apparently the DNS entries for cbp-us.nccp.netflix.com change in seconds 04:30 <+pekster> Ah, k. If you can't ping your LAN, you need to verify the addressing is correct on the client interface, and if it is, check your firewalls and bridge setup for errors. tcpdump/wireshark things liberally if you get stuck 04:31 -!- tMobile4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 04:31 < con3x> Either that or I'm doing my lookup wrong 04:32 <+pekster> Are you pulling all the A records returned? 04:33 <+pekster> It might still rotate within a larger set of IPs, but I get 8 IPs back for a dig request there 04:34 < con3x> Same here, just looking a little deeper. that domain itself has only a CNAME record 04:34 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Ping timeout: 252 seconds] 04:34 < con3x> Which as far as I can tell routes to a rotating base of AWS Servers 04:35 < kunji1> Can addressing on the server be incorrect? Because my guess was server addressing, and that's what I tried changing to test tomorrow. firewalls are disabled while testing. The bridge itself appears to be just fine (it comes up without any errors and I can ping everything from that machine). Ah good ol wireshark... I do need to learn how to use that properly, every actual network I'm on they would get really pissed about it though (mai 04:35 < con3x> I might just tell DNSMasq to forward only to those 8 and see how long it works for... 04:35 < con3x> /s/forward/return the ips for 04:37 <+pekster> con3x: Wrong. the CNAME returns multiple A records which you clearly aren't handling 04:37 <+pekster> Now that list could still be part of a larger rotation, but it's not a single IP 04:37 <+pekster> https://pastee.org/2y6f5 04:37 < kunji1> By addressing on the server I mean the ip and range the server pushes to the client. 04:38 <+pekster> kunji1: The client might have failed to apply the fake-DHCP reply. Or the server might not be pasing the options that match your LAN network 04:38 <+pekster> This is why you verify client addressing is correct 04:39 <+pekster> kunji1: Oh, and it also rotates the list of 8 you get back. Yup, you can't do that (as I noted above.) How about a web proxy ;) 04:40 <+pekster> con3x: ^^ that was for you 04:40 <+pekster> It'll work until the TTL expires, or about 60 seconds tops 04:40 <+pekster> ie: don't do that 04:40 < kunji1> Yeah, that second part, it wasn't very clear in what I read that it should match the LAN network, that's what I changed for testing tomorrow, it did report getting an IP, and it was in the configured range, and that did show properly when running ipconfig. 04:42 < con3x> pekster: Sorry, never meant it was a single IP, points towards a domain with 8 A records 04:42 < kunji1> con3x: There's probably an easier solution, but you could probably use snort for that. 04:43 < con3x> https://pastee.org/gevag 04:43 < con3x> and they change really frequently 04:46 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 04:48 * con3x writes a script to update routes every 60 seconds, FOR SCIENCE! 04:48 <+pekster> What happens when 1 second after your 1/60s script runs that the TTL expires? 04:49 <+pekster> Don't keep trying to pound a nail in with a fistfull of water. Use a browser proxy 04:49 -!- tMobile4a03 [~T4@n218250229105.netvigator.com] has quit [Read error: Connection timed out] 04:50 < con3x> It won't work for the other devices sadly 04:50 <+pekster> transparent proxying works nicely 04:50 <+pekster> Or put them on a unique subnet and policy route 04:50 <+pekster> Or a handful of smarter chioces 04:50 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 04:50 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Write error: Connection reset by peer] 04:51 < con3x> How would I do that? :) 04:51 <+pekster> A transparent proxy? Plenty of guides online to help 04:51 <+pekster> LARTC is a good place to start if you want to learn about policy routing and split routing: http://lartc.org/howto/ 04:51 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 04:52 < con3x> Thanks again :) 04:56 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Quit: Ik ga weg] 05:34 -!- holmen_ is now known as holmen 05:52 -!- mattock is now known as mattock_afk 05:53 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 06:05 -!- mattock_afk is now known as mattock 06:10 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Ping timeout: 245 seconds] 06:11 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 06:15 -!- donhoe [~jeepers@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Ping timeout: 245 seconds] 06:29 -!- donhoe [~jeepers@31.193.12.99] has joined #openvpn 07:10 -!- dazo_afk is now known as dazo 07:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 08:04 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 08:08 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 08:21 -!- ade_b [~Ade@129.178.182.25] has joined #openvpn 08:21 -!- ade_b [~Ade@129.178.182.25] has quit [Changing host] 08:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:24 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 08:52 -!- ade_ [~Ade@129.178.182.25] has joined #openvpn 08:53 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 08:55 -!- ade_ is now known as ade_b 08:56 -!- ade_b [~Ade@129.178.182.25] has quit [Changing host] 08:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:00 -!- u0m3_ [~Radu@92.80.72.203] has joined #openvpn 09:01 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:03 -!- u0m3 [~Radu@92.80.72.203] has quit [Ping timeout: 248 seconds] 09:04 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 09:20 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 245 seconds] 09:21 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has joined #openvpn 09:33 -!- s51itxsyc [~s51itxsyc@124.207.123.109] has joined #openvpn 09:35 < s51itxsyc> guys how make it if we have roughly 2000 users online sametime, run them in a single subnet, or split serveral in multi conf files? 09:36 -!- BtbN [~btbn@btbn.de] has quit [Quit: Bye] 09:36 -!- BtbN [~btbn@btbn.de] has joined #openvpn 09:45 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:45 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 09:47 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Client Quit] 09:50 <@ecrist> s51itxsyc: you have that many people connected to openvpn? 09:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 09:53 -!- bauruine [~stefan@91.236.116.112] has quit [Quit: Leaving] 09:55 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 09:55 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 09:58 < ducblangis> Holy.Shit.Man 09:59 < ducblangis> 2000 10:04 <@dazo> s51itxsyc: multiple conf files, on different ports per openvpn instance, but need to be separate (for simplicity in config) VPN subnets, but you can add routes so they can access the subnet(s) they need 10:05 <@dazo> s51itxsyc: but if all in one single subnet is a strict requirement, then there's no other options .... except perhaps switching to TAP and use bridging - but that will fail instantly, due to the massive broadcast traffic 10:06 <@dazo> (you would probably need between 10 and 20 openvpn instances too, for that amount of users to make it perform reasonably well if all clients are using all their bandwidth) 10:07 < wh1p> to be honest if your going to role out a vpn to 2000 users i would just not even consider going the open source route 10:07 < wh1p> with stuff like that you need real business support 10:07 <@dazo> wh1p: no problem with open source software in such enterprise setup ... but rather go for the OpenVPN AS Server would be advisable 10:08 < wh1p> it can be done and im not going to stop you but plan it the open source way and then go and plan it the proper way using proprietery cisco, draytek, sonicwall etc etc 10:08 <@dazo> OpenVPN AS is a commercial supported solution by OpenVPN Technologies, though .... 10:09 < wh1p> you will find your life easier, the support better and the service overall will probably be amazing with the proper dsetup in comparison to a home cooked idea 10:09 <@dazo> but my point is that, that doesn't exclude open source (in general) as a viable solution .... as long as you got the support need covered 10:09 < wh1p> my honest opinion is that going opensource is all cool and that but if something goes wrong and you cant fix it yourself, the proper business route with something like that really needs to be there 10:10 <+rob0> Most "real business support" options I see are incredibly lame. But to be fair, I doubt that applies to OpenVPN Technologies. 10:10 <+rob0> If you can't fix it yourself, hire someone who can. 10:11 < wh1p> im not saying dont go open source i lvoe the idea but with something that crucial it seems like it could cause really big problems for staff 10:11 <@dazo> wh1p: so you're saying New York Stock Exchange did a bad move when going for Red Hat Enterprise Linux? 10:11 < wh1p> ^rewad my comment above i love open source and the ideas and contributions behind it 10:11 <@dazo> but open source doesn't mean it's no good support solution around it .... 10:12 <@dazo> even commercial 10:12 < wh1p> but a vpn being the back bone for 2000 machines could be a really critical thjing to business operations 10:14 < wh1p> ok so let me go back to your original question 10:15 <@dazo> well, hardware solutions might be better suited ... but that doesn't mean open source isn't suitable either 10:16 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:17 < wh1p> never said it wasnt suitable 10:18 < s51itxsyc> thanks all your comments guys dazo wh1p rob0 :) 10:18 <+rob0> oh, I didn't address the question :) 10:19 <+rob0> The biggest drawback to one server for that many users is the lack of threading support. 10:19 <@dazo> wh1p: you did say this: "a vpn to 2000 users i would just not even consider going the open source route" .... that sounds like you don't find it suitable 10:19 <+rob0> For that reason I would probably break it up into several. 10:21 < wh1p> dazo: i did say that because with something on that scale imho i would not like to be the one support a half baked role out, sure if it was a,ll planned and rolled out properly and had some some of support plan with openvpn it would be great 10:22 -!- master_of_master [~master_of@p57B52905.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:23 -!- master_of_master [~master_of@p57B55DD0.dip.t-dialin.net] has joined #openvpn 10:23 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 10:26 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has quit [Ping timeout: 248 seconds] 10:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:34 < con3x> I wrote a script to constantly add the netflix routes to my routing table 10:35 < con3x> Seems to be working good enough :) 10:39 -!- suprsonic [~suprsonic@services.landonsanderson.com] has joined #openvpn 10:39 < suprsonic> what the recommended key length for openssl? 10:41 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has joined #openvpn 10:47 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 255 seconds] 10:51 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 240 seconds] 10:59 < s34n> I had a working config for gnome's network manager openvpn plugin on my last computer 10:59 < s34n> When can I find that to copy it to my new computer? 10:59 -!- suprsonic [~suprsonic@services.landonsanderson.com] has left #openvpn [] 11:01 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 11:04 -!- defswork [~andy@141.0.50.105] has joined #openvpn 11:04 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 260 seconds] 11:04 -!- Orbi [~opera@anon-149-21.vpn.ipredator.se] has joined #openvpn 11:06 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:10 -!- raidz_away is now known as raidz 11:11 -!- Orbi [~opera@anon-149-21.vpn.ipredator.se] has quit [Ping timeout: 240 seconds] 11:22 < s34n> I'm a little bit confused about the ip addresses requested by the gnome network manager plugin 11:22 < s34n> it wants a gateway, a remote ip address, and a local ip address 11:23 < s34n> I was expecting to provide the address of the vpn server and have my client negotiate things from there with the server 11:23 -!- NChief [tomme@unaffiliated/nchief] has quit [Quit: leaving] 11:24 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 11:32 < kunji1> I'm a complete noob at OpenVPN, but from the documentation, you should be able to do it that way, maybe not while using the gnome plugin, but then again, I don't remember having to fill out all of that for the plugin either. I thought you give the plugin your openVPN client configuration file, no? 11:34 <+rob0> Well, that's just it. If you're asking Network Manager questions in the #openvpn channel, you might not get much help. 11:34 <+rob0> !notovpn 11:34 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 11:51 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 264 seconds] 12:15 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 12:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:18 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:25 -!- b1rkh0ff [~b1rkh0ff@178.77.1.200] has quit [Ping timeout: 255 seconds] 12:26 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 12:26 -!- Orbi [~opera@anon-185-138.vpn.ipredator.se] has joined #openvpn 12:28 -!- Hugh_Man [~Hugh_Man@c-68-61-229-187.hsd1.mi.comcast.net] has joined #openvpn 12:29 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 252 seconds] 12:31 -!- izibi [~julian@unaffiliated/izibi] has joined #openvpn 12:32 < izibi> hi. how can i prevent openvpn from creating routes to the tunnel endpoint? 12:33 -!- kingtuna [~tuna@173-162-122-197-miami.hfc.comcastbusiness.net] has joined #openvpn 12:33 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:33 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 12:36 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 255 seconds] 12:36 -!- Orbi [~opera@anon-185-138.vpn.ipredator.se] has quit [Ping timeout: 272 seconds] 12:38 -!- s51itxsyc [~s51itxsyc@124.207.123.109] has quit [Ping timeout: 276 seconds] 12:38 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has joined #openvpn 12:45 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 12:47 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 256 seconds] 12:54 < izibi> or what would even be better: how can i change the gateway for the route to the tunnel endpoint? 12:59 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has quit [Ping timeout: 276 seconds] 13:01 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn 13:02 -!- kunji1 [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Ping timeout: 240 seconds] 13:05 -!- brute11k [~brute11k@89.249.235.236] has quit [Ping timeout: 255 seconds] 13:05 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has quit [Client Quit] 13:05 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 13:07 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has joined #openvpn 13:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 13:11 -!- Hugh_Man [~Hugh_Man@c-68-61-229-187.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds] 13:33 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 13:35 < KaiForce> Is there a how-to for multiple simultaneous connections from a windows client? Assuming that is possible, that is. 13:44 <+rob0> I suppose it is, but I don't use Windows. If all of those servers redirect the gateway, it would be rather ugly, of course. If they're just to connect to that site/LAN, however, it should be no problem. 13:50 < KaiForce> no, should not redirect gw. just to get to LAN 13:50 < KaiForce> to remote LANS i mean. A work from home person accessing multiple offices. 13:56 <+rob0> Another potential problem is if the LAN or VPN network ranges overlap/conflict. 13:57 < KaiForce> No they are distinct 13:59 < KaiForce> I'm just trying to figure out how to connect the second connection. When I connect more than one, I get "All TAP-Win32 adapters on this system are currently in use." 14:01 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has joined #openvpn 14:07 < KaiForce> Ok, found it. There is an "addtap.bat" file in the bin folder for OpenVPN GUI. It creates additional TAP adapters (at least on XP, I'll have to see on Win 7) 14:23 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 14:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 14:26 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 14:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 14:39 -!- mode/#openvpn [+v s7r] by ChanServ 14:48 -!- zaki [~guest@93.98.88.82] has joined #openvpn 14:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Read error: Connection reset by peer] 14:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 14:58 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 15:38 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has quit [Quit: Leaving] 15:52 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has joined #openvpn 15:53 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 245 seconds] 15:57 -!- corretico [~luis@190.211.93.38] has joined #openvpn 16:01 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 16:07 -!- JackWinter1 [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 16:08 -!- p3rror [~mezgani@41.249.97.52] has joined #openvpn 16:09 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 16:17 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 16:28 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has left #openvpn [] 16:31 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 16:32 -!- p3rror [~mezgani@41.249.97.52] has quit [Quit: Leaving] 16:45 -!- swat [~swat@ubuntu/member/swat] has quit [Ping timeout: 260 seconds] 17:07 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 17:15 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 17:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:21 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 276 seconds] 17:28 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 17:58 -!- kusznir [~kusznir@76.178.145.28] has joined #openvpn 17:58 < kusznir> Hi all: quick question: Does anyone know of a rackmount switch currently available (preferably 16-port, 100base-T) that has internal OpenVPN support? 18:01 < wh1p> openvpn is not something you would find in a switch rather something more like a router 18:04 < wh1p> kusznir: i would advise building a linux box and setting up openvpn on it 18:04 < wh1p> i will have a look see if i can find anything though which has openvpn built in 18:04 < kusznir> wh1p: I guess I was asking if anyone knew of a switch that included enough routing functionality to be a vpn endpoint. 18:05 < wh1p> no afaik that would never work 18:05 < kusznir> I found the Ubiquiti EdgeRouter, but it isn't actually shipping yet. 18:05 < kusznir> And I've seen other people with "vpn devices" that have ~8 ethernet ports on it. 18:06 < kusznir> I'd like a step up from a consumer-grade router running dd-wrt/openwrt hooked up to a switch. 18:06 < kusznir> An alix box would work I know...http://store.netgate.com/ALIX2D2-Kit-Black-Unassembled-P187C86.aspx 18:06 <@vpnHelper> Title: ALIX.2D2 Kit Black Unassembled @ Netgate (at store.netgate.com) 18:06 < wh1p> have a look at these products i hezard that some of them might support openvpn 18:06 < wh1p> http://www.wifi-stock.co.uk/products/routerboards-mikrotik.html 18:06 <@vpnHelper> Title: Wifi-stock.co.uk - Routerboards (Mikrotik) - WiFi Networking products at lowest prices in UK and Ireland (at www.wifi-stock.co.uk) 18:07 < kusznir> Also curious how common the hardware accelerated encryption is...I don't think it will be a big deal (don't plan on pushing high data rates), but I am also talking fairly weak processors... 18:08 < kusznir> My understanding is the geode processors have built-in hardware encryption engine that I'm told OpenVPN will take advantage of. 18:08 <@dazo> kusznir: build your own using a supermicro server? they got quite nicely priced 1U rack mountable servers 18:08 <@dazo> I dunno about geode ... but Intel CPUs with AES-NI instructions works very well 18:10 <@dazo> http://www.supermicro.nl/products/system/1U/ 18:10 <@vpnHelper> Title: Supermicro | Products | SuperServers | 1U (at www.supermicro.nl) 18:12 < kusznir> dazo: do you know if the atom CPUs have the instruction? 18:12 <@dazo> kusznir: dunno ... gotta check Intel's specs on their 'ark' site .. 18:13 <@dazo> kusznir: seems not ... http://ark.intel.com/products/71267/Intel-Atom-Processor-S1260-1MB-Cache-2_00-GHz 18:15 <@dazo> This one got AES-NI ... http://www.supermicro.nl/products/system/1U/5017/SYS-5017P-TF.cfm / http://ark.intel.com/products/65704/Intel-Core-i5-3610ME-Processor-3M-Cache-up-to-3_30-GHz 18:15 <@vpnHelper> Title: Supermicro | Products | SuperServers | 1U | 5017P-TF (at www.supermicro.nl) 18:15 <@dazo> (same compact box, but far more power in the CPU) 18:15 < kusznir> I was looking to avoid a full-fledged server install. This is supporting 15 embedded systems moving about 25k every 15min over a VPN. 18:16 <@dazo> kusznir: install Scientific Linux 6 ... and you'll get all updates going in automatically .... even embedded stuff needs to be updated regularly too, which is often a more cumbersome process 18:17 <@dazo> (and iirc, Scientific Linux 6 will have updates going on until 2020) 18:18 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 18:27 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 18:29 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 18:31 <@raidz> OpenVPN IOS App now Available in the App Store 18:34 -!- kunji [~Kunji@141.216.172.169] has joined #openvpn 18:34 < dioz> can i do server-bridge 192.168.0.1 255.255.255.0 192.168.0.1 192.168.0.1 ? 18:35 < dioz> tap 18:35 <@raidz> https://itunes.apple.com/us/app/openvpn-connect/id590379981 18:35 <@vpnHelper> Title: OpenVPN Connect for iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPod touch (3rd generation), iPod touch (4th generation), iPod touch (5th generation) and iPad on the iTunes App Store (at itunes.apple.com) 18:35 < dioz> coool 18:37 < dioz> the server-bridge objective indicates ip address, subnet, range, range 18:37 < kunji> dioz: umm, wouldn't that try to give out the server's ip to the connecting client? 18:37 < kunji> dioz: I don't think that first ip should be in the range. 18:37 < dioz> there is no range 18:37 < dioz> it's just a single ip 18:39 < kunji> dioz: But isn't that the ip used on the virtual interface of the server, so it should not be an ip the server gives out to a client, I think you should use at least 2 ips, one for the server, and one for the client, aka server-bridge 192.168.0.1 255.255.255.0 192.168.0.2 192.168.0.2 18:40 < kunji> I'm pretty new to this though, hmm, pekster would know, stick around and he'll see it eventually. 18:45 <@dazo> !ios 18:45 <@dazo> !iphone 18:45 <@vpnHelper> "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#4) see http://www.guizmovpn.com/ for an iOS client for OpenVPN for 18:45 <@vpnHelper> iPhone and iPad. 18:46 <@dazo> !forget iphone 1 18:46 <@vpnHelper> Joo got it. 18:46 <@dazo> !iphone 18:46 <@vpnHelper> "iphone" is (#1) http://modmyi.com/cydia/package.php?id=15784 for the gui portion or (#2) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#3) see http://www.guizmovpn.com/ for an iOS client for OpenVPN for iPhone and iPad. 18:46 <@dazo> !forget iphone 1 18:46 <@vpnHelper> Joo got it. 18:46 <@dazo> !iphone 18:46 <@vpnHelper> "iphone" is (#1) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#2) see http://www.guizmovpn.com/ for an iOS client for OpenVPN for iPhone and iPad. 18:46 <@dazo> !forget iphone 2 18:46 <@vpnHelper> Joo got it. 18:47 <@dazo> !learn iphone as "OpenVPN is now available for iOS in the App Store 18:47 <@vpnHelper> Error: No closing quotation 18:47 <@dazo> !learn iphone as OpenVPN is now available for iOS in the App Store 18:47 <@vpnHelper> Joo got it. 18:47 <@dazo> !iphone 18:47 <@vpnHelper> "iphone" is (#1) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone or (#2) OpenVPN is now available for iOS in the App Store 19:02 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has quit [Read error: Operation timed out] 19:03 -!- VunKruz [~hhhh@108-206-230-100.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 19:03 -!- donhoe [~jeepers@31.193.12.99] has quit [Remote host closed the connection] 19:13 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has quit [Read error: Connection reset by peer] 19:14 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has quit [Ping timeout: 276 seconds] 19:14 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has joined #openvpn 19:35 -!- daemonoob [~rschultz@68-233-212-42.static-ip.telepacific.net] has quit [Quit: Leaving] 19:40 < kunji> ?.. I'm still connected to this, hmm 19:42 -!- raidz is now known as raidz_away 19:53 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 19:53 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host] 19:53 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 19:57 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer] 19:59 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has quit [Ping timeout: 244 seconds] 19:59 -!- kunji [~Kunji@141.216.172.169] has quit [Read error: Connection reset by peer] 19:59 -!- kunji1 [~Kunji@141.216.172.169] has joined #openvpn 20:10 -!- dazo is now known as dazo_afk 20:11 -!- kunji1 [~Kunji@141.216.172.169] has quit [Read error: Connection reset by peer] 20:27 -!- Guest24601 [~root@216.17.109.26] has joined #openvpn 20:31 -!- s51itxsyc [~s51itxsyc@202.108.130.138] has joined #openvpn 20:43 -!- Guest24601 [~root@216.17.109.26] has left #openvpn [] 20:43 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 20:43 < cosmicgate> Hi, 20:43 < cosmicgate> may i know what is the default encryption cipher for openvpn? 20:46 -!- nucl3ar [~atom@31.193.12.99] has joined #openvpn 21:03 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 248 seconds] 21:04 -!- corretico [~luis@190.211.93.38] has joined #openvpn 21:06 -!- nucl3ar [~atom@31.193.12.99] has quit [Quit: g'byte] 21:27 -!- cosmicgate [~root@216.17.109.26] has quit [Ping timeout: 255 seconds] 21:31 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn 21:31 < CrashTM> how might someone go about forwarding a port to a openvpn client 21:32 < CrashTM> iptables -t nat -A PREROUTING -p tcp --dport (port) -j DNAT --to-destination (client ip) 21:33 < CrashTM> iptables -A FORWARD -s (client ip) -p tcp --dport (port) -j ACCEPT 21:33 < CrashTM> does that look right 21:41 < CrashTM> !def1 21:41 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 21:42 < ngharo> !linportforward 21:42 <@vpnHelper> "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing with the real ip of the server, and with the clients VPN ip) or (#2) iptables -t nat -A PREROUTING -i eth0 -d -p tcp --dport 80 -j DNAT --to or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT 21:46 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 21:46 -!- uberushaximus [~uberushax@shepard.sypherz.com] has joined #openvpn 22:00 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Read error: Connection reset by peer] 22:01 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 22:01 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Client Quit] 22:25 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer] 22:25 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 22:25 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 22:25 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn 22:53 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 22:58 -!- cosmicgate [~root@216.17.109.26] has quit [Quit: bye] --- Day changed Thu Jan 17 2013 00:00 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 00:02 -!- blackness is now known as blackmagic 00:11 -!- cosmicgate [~root@216.17.109.26] has quit [] 00:11 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 260 seconds] 00:12 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 00:42 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 00:50 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Quit: emmanuelux] 01:28 -!- Varazir_ is now known as Varazir 01:38 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 01:45 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 260 seconds] 01:45 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 01:45 < Minnebo> Guys, i'm still stuck with one problem 01:45 < Minnebo> Can someone check my server/client config? 01:46 -!- cosmicgate [~root@216.17.109.26] has joined #openvpn 01:46 < Minnebo> I can connect and everything works like a charm, but I cannot get the route work to use \\sbs2011 to get to the shares 01:46 < Minnebo> my server is on 192.168.100.1 01:47 < Minnebo> so I did an push "route 192.168.100.0 255.255.255.0" 01:47 < Minnebo> when I do print route on my client pc 01:48 < Minnebo> I see that the route is added 01:48 <+pekster> Is your DNS or WINS set up to do resolution across the VPN correctly? 01:48 <+pekster> You can't expect private names to resolve without setting that up 01:49 < Minnebo> where can I set those things? 01:49 < Minnebo> !dns 01:49 < Minnebo> :D 01:49 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 01:49 < Minnebo> !pushdns 01:49 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#4) in unix you'll use the update-resolv-conf script or (#5) also 01:49 <@vpnHelper> http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 01:50 <+pekster> DNS on windows is kind of a PITA: maybe that --register-DNS option will help, but I spent many hours one of my prior jobs cooking up a solution to guarentee that internal DNS worked. I just wish my solution wasn't locked up in a former employer's SVN repo :( 01:51 <+pekster> Windows does strange things when multi-homed, especially if you require automatic suffix support (which you apparently do since you're not using a FQDN) 01:51 < Minnebo> pekster, i could trick it 01:51 < Minnebo> by adjusting the hosts file 01:51 <+pekster> Using a FQDN might help, if you push the domain along with the DNS server 01:51 <+pekster> \\server.your.domain 01:52 < Minnebo> but then again when I go to 192.168.100.1 it goes to my local adress 01:52 <+pekster> It's still ugly because the DNS servers and "search suffix" for the domain are attached to the adapter, not system-wide 01:52 < Minnebo> Its odd that pptp vpn doenst have these issues :p 01:52 <+pekster> It just has issues with being a known inseucre protocol for over a decade and being fairly trivial to attack since mid 2012 01:53 < Minnebo> i'll test some this afternoon, have to hit the road 01:53 < Minnebo> laters 01:56 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 01:57 -!- Azrael808 [~peter@212.161.9.162] has quit [Remote host closed the connection] 01:59 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 246 seconds] 01:59 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has joined #openvpn 01:59 -!- Saviq_ [~Saviq@89-70-82-159.dynamic.chello.pl] has quit [Remote host closed the connection] 01:59 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 02:05 -!- Azrael808 [~peter@212.161.9.162] has quit [Quit: Ex-Chat] 02:15 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has joined #openvpn 02:16 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 264 seconds] 02:16 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 02:21 < Halagan> Hi guys .. We installed last version of iKey1000SDK (4.2.0) for iKey 1032 under OS Windows 7 x64. 02:21 < Halagan> App installed correctly and utility shows some information about token. 02:21 < Halagan> We have openvpn certificate on this iKey and we use this certificate to login in vpn site. 02:21 < Halagan> When we run openvpn client, it appear error with message “the ordinal 322 could not be located in the dynamic link library libeay32.dll”. So I copied this file and file ssleay32.dll from windows\system32 to openvpn\bin, where I replaced original openvpn files. Then i started again openvpn client, and opevpn daemon crash with error (file with this error is in attachment). We use openvpn-2.2.2-install.exe, but I have also tried ne 02:21 < Halagan> w version openvpn-install-2.3.0.exe with the same results. Under OS Windows XP 32 bit with iKey1000SDK (4.0.0.4) run this certificate on token without problems. 02:24 < Halagan> And this is attachment error Faulting application name: openvpn.exe, version: 2.3.0.0, time stamp: 0x5098c6eb 02:24 < Halagan> Faulting module name: openvpn.exe, version: 2.3.0.0, time stamp: 0x5098c6eb 02:24 < Halagan> Exception code: 0xc0000005 02:24 < Halagan> Fault offset: 0x00075b73 02:24 < Halagan> Faulting process id: 0xafc 02:24 < Halagan> Faulting application start time: 0x01cdd6c4db23e169 02:24 < Halagan> Faulting application path: C:\Program Files (x86)\OpenVPN\bin\openvpn.exe 02:24 < Halagan> Faulting module path: C:\Program Files (x86)\OpenVPN\bin\openvpn.exe 02:24 < Halagan> Report Id: 1a456b8b-42b8-11e2-85e2-ac7289579a3a 02:30 < blackmagic> Please use a pastebin for pastes longer then 4 lines. 02:31 < blackmagic> makes reading much easier. 02:31 -!- Guest70136 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn 02:42 < Halagan> Okay .. here is pastebin link .. http://pastebin.com/fhUQfMwE 02:43 < Halagan> And i also tried new version 2.3.0 OpenVPN .. 02:50 -!- cosmicgate [~root@216.17.109.26] has quit [] 02:56 < Halagan> Please suggest me solution. 02:57 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 02:57 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Ping timeout: 276 seconds] 03:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:15 -!- swat [~swat@ubuntu/member/swat] has quit [Ping timeout: 255 seconds] 03:19 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 03:22 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 03:24 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 03:26 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 03:26 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 03:34 -!- s51itxsyc [~s51itxsyc@202.108.130.138] has quit [Quit: Lost terminal] 03:49 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds] 03:56 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Operation timed out] 03:56 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 04:04 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 248 seconds] 04:11 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has quit [Ping timeout: 248 seconds] 04:12 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:12 -!- cherwin [~cherwin@ip4da6274e.direct-adsl.nl] has joined #openvpn 04:20 -!- igor__ [~igor@pd907e599.dip0.t-ipconnect.de] has joined #openvpn 04:27 -!- eugenmayer1 [~EugenMaye@2a02:8071:b258:c001:ec3e:a40d:77ad:6be2] has joined #openvpn 04:28 < eugenmayer1> Hello. Iam having like 40 VPN clients into 4 OpenVPN nets ( all served by one server ). To locations, one new office (all clients there, all OSX) and a customer location do have huge bandwith issues ( download 30kbit/s ). The networks are based on UDP and it seems it could be based on paket loss. Any suggestion? 04:29 < eugenmayer1> i used iperf with -u and got an package los of 7-10% to the vpn server ( from the outer net, not the tunnel) 04:33 <+pekster> eugenmayer1: That's a significant amount of packet loss; if you're familiar with TCP's restart mechanism in the face of lost packets, that could easily account for your low throughput. It's possible window tuning could help with TCP streams, but that still won't change the fundamental problem around that bad of a network link 04:34 < eugenmayer1> pekster: so you suggest, as i do, its an ISP issue? 04:34 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has joined #openvpn 04:34 < eugenmayer1> pekster: as its UDB, how it could be due to the TCP's restart mechanism? 04:35 <+pekster> TCP is still used inside the tunnel for anything TCP-based 04:35 < eugenmayer1> I mean, since UDP is stateless and has no "ACK" its always very sensible to bad connection/paket loss 04:35 < eugenmayer1> right? 04:36 <+pekster> Rigiht. But if you, say, ftp across the VPN link, the local system doesn't care "why" the packet was lost (ie: no ack comes back for it) so it re-tries 04:36 <+pekster> That in turn geneates another UDP packet, that in your case is also 7-10% likely to be lost 04:36 < eugenmayer1> yeah sure. Combined that, this will have an bandwith issues, thats clear 04:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 04:37 <+pekster> Try a traceroute tool that can show you loss/latency for each hop between your endpoints (I like the "mtr" tool for this, but there are others) and see what you find 04:37 <+pekster> At ~10% latency, you clearly have a problem with the link 04:37 <+pekster> loss, rather 04:38 < eugenmayer1> pekster: so i guess, since my VPN server is vierualized, i have to double check its nothing on that route, check a different server. If i face the same amount of packaet loss on other servers, i guess its ISP-only, right 04:38 < eugenmayer1> pekster: using MTR here 04:39 <+pekster> "nothing on the route" ? I've no clue what that means, but I don't get packet loss even when someone on my network is watching Netflix and another is uploading vacation photos 04:39 < eugenmayer1> i see, right now, a kernel syslog message 04:39 < eugenmayer1> UDP: short packet: From XXXXX to XXXX 04:40 < eugenmayer1> and something like __ratelimie: 11 callbacks supprsed.. 04:40 < eugenmayer1> pekster: i ment, rather e.g. somethign with the virtualized network interface 04:45 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:5dcf:eb91:45:15e3] has joined #openvpn 04:49 -!- eugenmayer1 [~EugenMaye@2a02:8071:b258:c001:ec3e:a40d:77ad:6be2] has quit [Ping timeout: 256 seconds] 04:49 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has joined #openvpn 04:49 < eugenmayer> pekster: iam having huge internet issue, sorry. Iam using MTR for this kind of tests 04:53 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 244 seconds] 04:56 <+pekster> eugenmayer: Right. I mean, if you can't even stay connected to IRC without dropping, that's going to impact almost any application that's sending data across the Internet 04:56 <+pekster> The VPNs job is to encapsulate and delivery packets to yoru peer, not to fix that kind of problem 04:56 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:5dcf:eb91:45:15e3] has quit [Ping timeout: 256 seconds] 04:56 <+pekster> lol 05:01 -!- thinkHell [~Hell@85.15.47.27] has quit [Read error: Connection reset by peer] 05:04 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:657e:9c95:55ed:79ce] has joined #openvpn 05:05 <+pekster> eugenmayer: https://pastee.org/ksz9t 05:05 < eugenmayer> Sorry for my connection, its just going up and down..i guess i missed like anything? ;/ 05:06 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 05:18 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:22 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 248 seconds] 05:22 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:24 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:31 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 05:33 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:34 -!- b1rkh0ff [~b1rkh0ff@178.77.7.250] has quit [Quit: Leaving] 05:36 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:39 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:44 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:51 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 05:56 -!- eugenmayer [~EugenMaye@2a02:8071:b258:c001:657e:9c95:55ed:79ce] has quit [Ping timeout: 256 seconds] 06:03 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has quit [Quit: valparaiso] 06:03 -!- dude123 [~jonathan@cpe-72-191-141-216.stx.res.rr.com] has joined #openvpn 06:03 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 06:04 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 06:04 < dude123> !welcome 06:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:06 < dude123> question - does openvpn "hide" the user's ip address while on the internet? 06:07 < plaisthos> same as other vpn 06:07 <+pekster> You probably want to see the !redirect output from the bot. You can adjust the default gateway for traffic you don't have a more specific routing entry for, although that's only used while the VPN is connected 06:08 < dude123> !redirect 06:08 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 06:08 <@vpnHelper> http://ircpimps.org/redirect.png 06:13 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has left #openvpn [] 06:13 -!- dude123 [~jonathan@cpe-72-191-141-216.stx.res.rr.com] has quit [Quit: Leaving] 06:21 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has quit [Remote host closed the connection] 06:23 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has joined #openvpn 06:24 -!- ihptru [~ihptru@164.138.25.4] has quit [Ping timeout: 276 seconds] 06:37 -!- mattock is now known as mattock_afk 06:37 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 06:50 -!- p3rror [~mezgani@2001:0:53aa:64c:281c:646c:d605:16f1] has quit [Ping timeout: 260 seconds] 06:58 < Halagan> Hi guys, can you please help me with this error ? .. http://pastebin.com/QsLpA6zy 07:00 < dioz> pekster 07:11 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has joined #openvpn 07:13 <+pekster> dioz: sup? 07:19 -!- mattock_afk is now known as mattock 07:21 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 260 seconds] 07:23 <+pekster> Halagan: I really don't have much more info for you as I don't work with PKCS11 myself very often. As I mentioned a number of days when you last asked, your pkcs11 provider appears to need features not present in a standard openssl build that OpenVPN provides 07:24 <+pekster> You either need to figure out what change needs to happen and build it yourself, or rebuild OpenVPN against the modified OpenSSL library 07:25 < dioz> i know server-bridge by itself is for dhcp 07:25 <+pekster> I'm not the guy to ask to debug software I haven't used and don't have the source to. The error message you get is very generic, and the fact that openvpn crashes with a different dll is not a surprise; you can't just swap out compiled shared-object files like that; you need to rebuild them from *source* for this to work 07:29 < dioz> if i'm making a tap0 bridge server-bridge nogw 07:29 < dioz> `client' is windows 7 07:29 < dioz> how do i get the client to get my bridge side WAN address 07:29 < dioz> if that makes sense 07:29 < dioz> ip-forwarding is enabled 07:30 < dioz> the WAN side address is static (no dhcp) 07:30 <+pekster> huh? 07:30 -!- folivora_ is now known as folivora 07:31 <+pekster> You want your VPN clien to get, from dhcp, an address assigned to your upstream device? You can't do that... 07:31 < dioz> yeah, vps in another AS has multiple ip addresses 07:32 < dioz> i want those ip addresses routed to machines i have in a lan 07:32 < dioz> `routed' for lack of a better term 07:32 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 07:33 < dioz> or am i high on crack or something? 07:33 <+pekster> Then bridge a tap device on the system that is assigned those addresses 07:33 < dioz> yeah i have brctl addif br0 eth0 tap0 07:34 < dioz> tap0 is made by the openvpn.config (right now i have to manually brctl addif br0 eth0 tap0 after openvpn runs for them to `show' as bridged 07:35 <+pekster> Okay. Nothing wrong with that, but if you don't use DHCP you'll need to statically set the IP on your clients, as well as your gateway if you plan to route through that interface 07:37 <+pekster> The client won't "get" your br0 address, but the device will be on the same L2 network 07:37 <+pekster> ie: your client still needs its *own* address to do anything useful 07:38 < dioz> so... idkf about windows, but i seen on install that it added a TAP-Win32 device to my "Control Panel > Netowkring and Sharing > Networking connections" 07:38 < dioz> should i see that "connect"? 07:38 <+pekster> Yup, and it needs an IP to do anything interesting 07:39 <+pekster> You can manage that by DHCP, but if you don't have it you need to assign it an IP, perhaps with an 'ifconfig' locally in the client-side, or 'ifconfig-push' server-side 07:39 <+pekster> Same for a gateway, and DNS if you need it 07:39 <+pekster> Think of tap like an ethernet cable; you can't just plug a cable in, but you need to somehow give your device an IP so it can use the connection 07:40 < dioz> one last thing... does "Local Area Connection 2" sound like a reasonable `dev-node' for a client side windows 7 config? 07:40 <+pekster> Yup 07:40 -!- ade_b [~Ade@95.209.55.220.bredband.tre.se] has joined #openvpn 07:40 -!- ade_b [~Ade@95.209.55.220.bredband.tre.se] has quit [Changing host] 07:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:40 <+pekster> You can also rename it to "tap0" or "vpn0" or whatever you like 07:40 <+pekster> Windows has stupid device names ;) 07:41 < dioz> alright thanks 07:47 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has quit [Ping timeout: 264 seconds] 07:54 -!- M-Technic [~voltron@c-67-188-136-26.hsd1.ca.comcast.net] has joined #openvpn 07:58 -!- dazo_afk is now known as dazo 08:03 <@ecrist> good morning, kids 08:11 < igor__> can i ask a tun/tap related question? 08:11 <@ecrist> !ask 08:11 <@vpnHelper> "ask" is don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc 08:12 < igor__> do i have to use tap for ifenslave 08:16 < plaisthos> like with any other ethernet device 08:17 < igor__> ok i am beginner 08:17 <@ecrist> what is ifenslave? 08:17 < igor__> bonding 08:18 < igor__> i want use bonding and openvpn 08:19 <+pekster> igor__: You need tap then; the ifenslave manpage is very specific that it works on the Ethernet level, which is what tap is. tun is at the Network (L3) layer 08:20 < igor__> so i have to use ethernet-bridge 08:43 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 08:59 -!- brute11k1 [~brute11k@89.249.235.236] has joined #openvpn 09:00 -!- zeeshoem [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 09:00 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:02 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 09:03 -!- nand` [~nand@static.102.126.46.78.clients.your-server.de] has joined #openvpn 09:03 -!- igor___ [~igor@pd907e599.dip0.t-ipconnect.de] has joined #openvpn 09:03 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Disconnected by services] 09:03 -!- Fiouz_ [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn 09:06 -!- Thermi_ [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 09:06 -!- [fred]_ [fred@konfuzi.us] has joined #openvpn 09:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 09:07 -!- Netsplit *.net <-> *.split quits: igor__, pnielsen, Guest70136, nutron, mnathani, [fred], Thermi, swiftkey, `nand`, kirin`, (+4 more, use /NETSPLIT to show all of them) 09:08 -!- pnielsen_ is now known as pnielsen 09:08 -!- Netsplit over, joins: BtbN 09:10 -!- defswork [~andy@141.0.50.105] has joined #openvpn 09:10 -!- swiftkey [swiftkey@2a01:7e00::f03c:91ff:feae:714e] has joined #openvpn 09:11 -!- swiftkey [swiftkey@2a01:7e00::f03c:91ff:feae:714e] has quit [Changing host] 09:11 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 09:11 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 09:11 -!- Netsplit *.net <-> *.split quits: swiftkey 09:11 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 09:12 -!- Netsplit over, joins: swiftkey 09:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-ilsmwstpkjvdgbnu] has joined #openvpn 09:20 -!- kirin` [telex@gateway/shell/anapnea.net/x-ilsmwstpkjvdgbnu] has quit [Ping timeout: 240 seconds] 09:22 -!- NChief [tomme@unaffiliated/nchief] has quit [Quit: leaving] 09:22 -!- kirin` [telex@gateway/shell/anapnea.net/x-elbljsabsqbscuxz] has joined #openvpn 09:22 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 09:24 -!- NChief [tomme@unaffiliated/nchief] has quit [Client Quit] 09:25 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 09:26 -!- mndo [~mndo@bl15-215-4.dsl.telepac.pt] has joined #openvpn 09:28 -!- kirin` [telex@gateway/shell/anapnea.net/x-elbljsabsqbscuxz] has quit [Ping timeout: 252 seconds] 09:28 < mndo> hi 09:28 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 09:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-eflzkseusdanowsk] has joined #openvpn 09:29 < mndo> is it possible to revoke several clients using crl-verify crl.pem ? 09:31 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 09:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-eflzkseusdanowsk] has quit [Ping timeout: 248 seconds] 09:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-jtuxtqhqsbqanuqk] has joined #openvpn 09:40 -!- gladiatr [~sdspence@24.124.15.166] has joined #openvpn 09:40 -!- gladiatr [~sdspence@24.124.15.166] has quit [Changing host] 09:40 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 09:41 -!- kirin` [telex@gateway/shell/anapnea.net/x-jtuxtqhqsbqanuqk] has quit [Ping timeout: 255 seconds] 09:42 -!- kirin` [telex@gateway/shell/anapnea.net/x-vloxwmtujngywbmh] has joined #openvpn 09:44 < mndo> hi, is it possible to revoke several clients? 09:45 -!- igor___ [~igor@pd907e599.dip0.t-ipconnect.de] has quit [Quit: Lost terminal] 09:47 -!- kirin` [telex@gateway/shell/anapnea.net/x-vloxwmtujngywbmh] has quit [Ping timeout: 264 seconds] 09:49 -!- kirin` [telex@gateway/shell/anapnea.net/x-pkcemxmoxnqxpyji] has joined #openvpn 09:49 < gladiatr> if you are using certificates and your server has access to your CA crl... 09:51 <+pekster> mndo: Certificate revocation can be performed the traditional way by revoking from your PKI (easy-rsa has a "revoke-full" script, or use another method if you manage your own PKI.) Optionally, you can "temporarily" disable a user based on CN by using a ccd file with the "disable" directive in that file 09:52 <+pekster> The ccd method, or an equivelent via a --connect script should be a temporary solution only where the certificate may later be re-authorized or similar. If the key material has been compromised, you should properly revoke the certificate and update the CRL 09:53 < mndo> pekster, the file crl.pem used on crl-verify is updated with all the revoked clients everytime it is generated by revoke-full? 09:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-pkcemxmoxnqxpyji] has quit [Ping timeout: 248 seconds] 09:54 <+pekster> mndo: Yup. So copy that crl.pem file to your server and it'll pick up on the change (provided you're already using the --verify-crl option. If not, you'd need to restart the instance to add that directive) 09:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-inomorqwzrpnrdqv] has joined #openvpn 09:56 <+pekster> Technically you can do silly things like manually hack your index.txt file to "un-revoke" a certificate, but you really shoudln't do that as revocation is not supposed to be an operation you can undo 09:56 < mndo> pekster, oh, good my doubt was related with the crl.pem contents.. 09:56 <+pekster> You can dump the crl manually if you want to see all the serial numbers you've revoked 09:57 <+pekster> The CRL is basically just a list of all revoked certs by serial, CA association, and the date/time of each revocation along with a signature from the CA 09:57 < gladiatr> you can cross-reference the serial of the target cert between the CA's index file and the contents of the crl 09:57 < gladiatr> oh. yeah. what pekster said :) 09:58 -!- PlasmaHH [~plasmahh@213.61.9.75] has joined #openvpn 09:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:00 < mndo> pekster, great, thank you for you help 10:00 < PlasmaHH> hi, I just set up some openvpn, and while both computers can ping themselves just fine on their tun0 interface, when I try to ping a host from the clients subnet, using ping on the server, I can see how over the vpn some encrypted data is sent to the client, but nothing arrives on the tun0 there. where would I start debugging this? 10:00 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 10:01 -!- kirin` [telex@gateway/shell/anapnea.net/x-inomorqwzrpnrdqv] has quit [Ping timeout: 246 seconds] 10:03 -!- kirin` [telex@gateway/shell/anapnea.net/x-ejkvabzbfigdmmch] has joined #openvpn 10:03 <+pekster> !clientlan 10:03 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 10:03 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png 10:04 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has joined #openvpn 10:05 < Eduard_Munteanu> Hi. Is there any support for mesh/p2p VPNs in openvpn? Or some patch / some other project I should look at? 10:06 <+pekster> Eduard_Munteanu: No mesh support at present (where you have a many to many configuration.) You can do PtP-style VPNs on OSs that support it though 10:07 <+pekster> There was some project that basically automated the creation of a bunch of PtP tunnels to emulate a mesh design, although I'm forgetting what that was called now 10:07 < Eduard_Munteanu> pekster: well, that's a lot of tunnels for 25-30 machines :) 10:08 <+pekster> Sure, although if they're mostly idle the resource reqs would be somewhat low (just ugly as far as 30 tun devices went...) 10:08 <+pekster> !mesh 10:08 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes 10:08 < mndo> pekster, maybe peervpn? 10:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-ejkvabzbfigdmmch] has quit [Ping timeout: 276 seconds] 10:08 < Eduard_Munteanu> I was just looking at peervpn, though it seems it's shared-key. 10:08 <+pekster> It would be cool to have a 'mesh' topology where an extra field is added to encrypted data to handle >1 peer 10:10 -!- kirin` [telex@gateway/shell/anapnea.net/x-hannadrtnndmmtdm] has joined #openvpn 10:11 < Eduard_Munteanu> Grr, openmesher also seems shared key-only. 10:11 < Eduard_Munteanu> !rip 10:11 <@vpnHelper> "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn 10:13 <+pekster> Eduard_Munteanu: I'm somewhat curious what your usecase is where you need a true mesh of ~30 nodes; at 870 "direct" links, that's quite the setup 10:14 <+pekster> I'm not downplaying the usefulness of a mesh for such setups, just interested to know what types of projects folks are considering using them for 10:15 < Eduard_Munteanu> pekster: I'm using bittorrent to distribute files from a central server (unreliable bandwidth) to 30 machines, and I figured delegating encryption and security to openvpn might be a good idea. 10:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-hannadrtnndmmtdm] has quit [Ping timeout: 252 seconds] 10:16 < Eduard_Munteanu> Especially since I already run a PKI for other purposes. 10:16 <+pekster> Interesting, so you'd like the gaurenteed authencitity in such a setup, where presumably access to the tracker and network gives proof of identity 10:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-mudnmykgtjucinir] has joined #openvpn 10:17 <+pekster> I wonder if using gpg at each end and letting bittorrent do its thing would be a simpler solution in terms of setup and maintenance if you really require encryption and/or proof-of-origin 10:19 < Eduard_Munteanu> pekster: well, currently I am transferring the torrent files through rsync/ssh... I figured this might simplify security, if only openvpn supported it out of the box. 10:20 < Eduard_Munteanu> I could simply run a rsync server on that (TAP ?) interface, and pretend everything is alright. 10:20 <+pekster> No need for tap unless you're dealing with an Ethernet-level protocol (ARP, IPX, mutlicast, etc) 10:20 < Eduard_Munteanu> I wonder what it takes to implement it, though, I should have a look. 10:21 <+pekster> rsync is still one-to-one in terms of connectivity 10:21 <+pekster> Bittorrent is helpful in a distributed sense, and you're of course free to prepare a .torrent that shares a signed or encrypted gpg file between peers, then each client of your central server just decrypts it after download is complete 10:22 -!- kirin` [telex@gateway/shell/anapnea.net/x-mudnmykgtjucinir] has quit [Read error: Connection reset by peer] 10:22 -!- master_of_master [~master_of@p57B55DD0.dip.t-dialin.net] has quit [Ping timeout: 272 seconds] 10:23 < Eduard_Munteanu> Hm, yes, I guess that works too. I've also looked at some builtin encryption in rtorrent, but dunno how the key exchange actually works :/ 10:23 <+pekster> If you just need proof that the file hasn't been tampered with between the central server and your nodes, a detached signature is a far cleaner option so you don't even need to decrypt anything 10:23 < Eduard_Munteanu> Oh, definietly. In fact, I guess the torrent files are ok for that purpose no? 10:23 -!- master_of_master [~master_of@p57B55F39.dip.t-dialin.net] has joined #openvpn 10:24 * Eduard_Munteanu looks what hashes they use 10:24 <+pekster> Well, what is it you want at a high level? Do you just need to verify the file as the same on download as it was from the source? If so, gpg detached signatures are definitly what you want (and what Linux distros using torrents today already use) 10:25 < Eduard_Munteanu> Hm, SHA-1 according to wikipedia, looks reasonably fine. The files are just movies, btw. 10:25 <+pekster> eg: look at this link, where the chekcums are signed: http://cdimage.ubuntu.com/xubuntu/releases/12.10/release/ 10:25 <@vpnHelper> Title: Xubuntu 12.10 (Quantal Quetzal) (at cdimage.ubuntu.com) 10:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbhuhodavdvolbuq] has joined #openvpn 10:25 <+pekster> So you download the content in the "clear" (possibly with bittorrent's rc4 "encryption" if you call it that between peers) and then checksum it, then verify that the checksums file was authentic by verifying the gpg signature 10:26 <+pekster> If your checksums match and the checksum file was correctly signed with a signature you trust, you know it hasn't been tampered with since it was hashed/signed at the server's end 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 256 seconds] 10:28 < Eduard_Munteanu> pekster: yeah, I suppose that should do. I mostly wanted encryption and all that because it's cheap these days :) 10:29 <+pekster> No real need for that unless you can't have your content (ie: the chunks going over the wire) in the clear. The solution to that without a true mesh setup would be to use gpg to encrypt the files before you seed them in the p2p swarm 10:29 <+pekster> signing and encryption are separate operations in gpg 10:29 <+pekster> You can use one, the other, or both 10:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbhuhodavdvolbuq] has quit [Ping timeout: 244 seconds] 10:31 <+pekster> A mesh is an interesting solution for your needs, I just think it's overly complicated for what you ultimately want 10:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-uvulotxunalwtwsa] has joined #openvpn 10:32 <+pekster> And it still won't help you if one of your nodes is somehow compromised into sending bad data to other peers (that probably wouldn't pass the .torrent files own hashing scheme, but it's not as cryptographically secure as gpg signatures are) 10:32 < Eduard_Munteanu> Might take a shot at implementing it, it simplifies things greatly if I can just rely on openvpn instead of adhoc solutions (however straightforward they may be). 10:32 <+pekster> So it's both more complex, and less useful to you in terms of verifying file origin 10:33 < Eduard_Munteanu> BTW, does openvpn distribute the server certificate to the clients? 10:34 < Eduard_Munteanu> AFAICT, you'd only need the CA cert on the client to verify it. 10:34 <+pekster> Certs from each end are exchanged during the initial TLS handshake 10:34 <+pekster> Right, you don't ever need your peer's certificate available locally as it comes over the wire from the peer itself 10:35 <+pekster> Just the ca.crt, and your own cn.crt and cn.key files (you can put them in a .p12 if you prefer, or just name all 3 in your config file) 10:35 <+pekster> There are nice howto docs on setting up a server to handle multiple clients: 10:35 <+pekster> !howto 10:35 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 10:36 < Eduard_Munteanu> Yeah, I already have such a server set up. 10:37 <+pekster> FYI, gpg sigs can use any of the hashes you see in 'gpg --version' 10:37 <+pekster> Mine supports up to SHA512 (no sha3 yet, but that's new enough not to be in most mainstream projects) 10:38 < Eduard_Munteanu> Yeah, I'm a bit uneasy about SHA1 too, most PKI stuff still uses that. :( 10:38 <+pekster> Only if you tell it 10:38 <+pekster> openssl defaults to sha1, but all my PKI certs (ca and all peers) are signged using at least SHA256 10:38 <+pekster> easy-rsa doesn't default to that, but it's easy to adjust the openssl.cnf file to do it (see default_md options, and you may need to add that yourself in the [req] section 10:41 < Eduard_Munteanu> AFAICT there's only one big piece missing... some sort of peer discovery. I guess the rest is pretty much already handled in openvpn. 10:42 < kjs> I have an issue, other people VPN'ing can access a specific subnet but I can't - I assume this a route problem from my client? 10:42 <+pekster> kjs: Other people using the same VPN? If so, then it's obviously on your side. Are the routes getting added, and have you verified you don't have overlapping networks that cause the access issue? 10:44 < kjs> I can't see the route I attempted to add it by hand. But still no joy 10:44 < Eduard_Munteanu> Maybe the server is denying you access / not forwarding traffic? 10:44 < Eduard_Munteanu> Do you admin the server as well? 10:45 <+pekster> kjs: It's possible the server treats specific users differently via ccd or --client-connect scripting handling routes/firewalling uniquely per client; do you know if that's the case? Check your logs at 'verb 5' to see exactly what the client is getting pushed and check for errors. Post logs if you need help parsing them, but it should be pretty clear from the logs re: pushed options/routes 10:46 < kjs> pekster: fixed it, was route issue i readded it manually.. .and it works now 10:46 < kjs> thanks :D 10:46 < Eduard_Munteanu> Mm, you shouldn't have to, though. 10:47 <+pekster> Not if it's being pushed correctly and didn't give an error when adding it on VPN init 10:47 <+pekster> Presumably it's not a policy problem or the admin should have firewalled it properly :P 10:47 <+pekster> (and yes, I've set up VPN accounts for contractors before where I'm quite careful to limit them to what their in-house management says they should have access too ;) 10:48 < kjs> it's not in the server config, I suspect because it's the management subnet 10:48 < kjs> and they don't want other people accessing it (directly) 10:48 <+pekster> Ah, sure. We went through a phase where our management subnet (outside of our /16 supernet for all other corp stuff) wasn't pushed, and we eventually pushed the smaller network to VPN clients. Or maybe just our IT team, I forget 10:49 <+pekster> Keep in mind not pushing a route doesn't keep people off it who know how to add routes themselves ;) 10:49 <+pekster> That's the job of a firewall 10:49 <+pekster> -A FORWARD -i tun+ -j ACCEPT is a popular netfilter rule, but often bad in a corp environment :P 10:50 -!- brute11k1 [~brute11k@89.249.235.236] has quit [Ping timeout: 264 seconds] 10:50 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 10:51 -!- p47 [~p47@189.134.208.202] has joined #openvpn 10:51 < PlasmaHH> pekster: thanks, that diagram helped somewhat, although "correctly configure the iroute" should have somehow mentioned that the filename needs to be the client name as shown in e.g. the ifconfig-pool-persist file, and not as in the CN from the certificate (which is how I read http://openvpn.net/index.php/open-source/documentation/howto.html) 10:51 <@vpnHelper> Title: HOWTO (at openvpn.net) 10:51 <+pekster> PlasmaHH: It does need to match the CN from the X509 cert 10:52 <+pekster> (unless you're using --username-as-cn, but then you should know what that's doing anyway) 10:53 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 10:53 -!- mode/#openvpn [+o krzee] by ChanServ 10:53 <+pekster> Mind you that DN and CN are unique and shouldn't be confused; OpenVPN uses the CN field of the DN of the cert to identify unique users 10:55 < PlasmaHH> well, it currently has a different filenames. anyways, I need to get home and test it from other clients there 10:55 -!- PlasmaHH [~plasmahh@213.61.9.75] has quit [] 10:57 <+pekster> Interesting; I wonder if (s)he was using weird chars OpenVPN internally remapped 10:58 <@krzee> g'day pekster 10:58 <+pekster> Morning 10:58 <@krzee> in case you were wondering, verizon's commercials were telling the truth 10:58 <@krzee> their network is really that much better 10:59 <+pekster> LTE? 10:59 <@krzee> yep 10:59 <@krzee> ive been driving around california testing 4 different mobile hotspots with my darknet voip network 10:59 <@krzee> the verizon one is much better than the others 10:59 -!- wh1p [~angus@host-2-100-148-6.as13285.net] has left #openvpn ["Leaving"] 10:59 <+hazardous> krzee that's so weird 10:59 <+hazardous> how does att fare 10:59 <@krzee> it works in random places in the middle of nowhere 10:59 <+hazardous> heh 11:00 <@krzee> t-mobile and att work in major areas 11:00 <+hazardous> my tmobile hotspot 11:00 <+hazardous> worked only in sf proper 11:00 <@krzee> virgin works well when it works 11:00 <+hazardous> it dropped off literally as soon as it exited 11:00 <+hazardous> and started working in la 11:00 <@krzee> exactly 11:00 <+hazardous> also 11:00 <@krzee> but verizon worked along the entire 5 11:00 <+hazardous> tmobile does DPI 11:00 <+hazardous> and forbids tethering while roaming 11:00 <+hazardous> evne at reduced speeds 11:00 <@krzee> including much of the grapevine 11:00 <+hazardous> so even if it says there's service 11:00 <+hazardous> you still can't tether 11:00 <+hazardous> or use a hotspot properly 11:00 <@krzee> no no, these are wifi hotspots 11:00 <+hazardous> oh 11:00 <@krzee> they always tether 11:00 <+hazardous> mine was an actual one 11:01 <+hazardous> not a phone 11:01 <@krzee> oh ok 11:01 <+hazardous> iirc virgin = verizon? 11:01 <@krzee> nope 11:01 <@krzee> sprint iirc 11:01 <+hazardous> ah 11:01 <+pekster> I've used my phone's 3G (I have 4G w/ sprint, but rarely use it due to battery suckage) and I've plugged it in via NDIS/USB to an OpenWRT router that runs OpenVPN 11:01 <+hazardous> i think they use the same devices or something 11:01 -!- raidz_away is now known as raidz 11:01 <+hazardous> because the aut ospawned wifi ssid is similar 11:01 <+hazardous> and weird 11:01 <+pekster> One of these days whwen I'm the passengar on a long ride I should try to VPN in back home and do work for the trip :P 11:01 <@krzee> verizon is the only one that worked well on the road from vegas to san diego, and from la to the bay 11:02 <+hazardous> on sprint i had service at la 11:02 <+hazardous> d 11:02 <+hazardous> dropped off until SLO 11:02 <+hazardous> then a mile or two then dropped off until sf 11:02 <+pekster> I used my phone for streaming audio via 3G, and it work nearly everywhere except the CO moutains (major highways mostly) 11:03 <+hazardous> hahaha CO mountains 11:03 <+hazardous> i went through there twice last month/this month 11:03 <@krzee> im rolling around with a AC splitter, a power inverter and 2 micro-usb car adapters 11:03 <+pekster> I even got Netflix streaming in Eloy AZ (not far off thte interstate, but it is literally the middle of nowhere in the desert) 11:03 <@krzee> then my inverter has a usb plug for micro-usb 11:03 <@krzee> then i plugin my laptop and more micro-usb cables 11:03 <+pekster> Netflix on a phone is surprisingly fun to watch, especially when it's your only entertainment 11:03 <+hazardous> pekster: i had literally zero service in the co mountains as sprint 11:03 <@krzee> 4 hotspots, 2 cellphones, and a secure mobile device, all on micro-usb 11:03 <@krzee> lol 11:04 <+hazardous> is it weird that i pick up multiple hotspot service usually prepaid when i travel 11:04 <+hazardous> because i really need internet on the trip 11:04 <+pekster> krzee: I used an inverter a couple years ago to literally build a Gentoo OS from scratch in a car doing 70 mph from MN to IA. I had a headless PC, RS232 cable, my laptop, and an ext-hdd with the full gentoo source mirror 11:04 <+pekster> That PC was the router for the LAN-gaming event ;) 11:04 <@krzee> haha 11:04 <@krzee> nice 11:05 <+pekster> I finish the build and firewall just as we pull into the parking lot and plug it in. ~15 mins after we stopped I began serving the LAN full web connectivity 11:05 <+pekster> That was a fun drive 11:05 <+hazardous> i lost a can of soda today 11:05 <+pekster> I found one 11:05 <+hazardous> hah 11:05 <+pekster> Must be the world's way of keeping everything in balance 11:06 <+hazardous> pekster: it fell out of my bag 11:06 <+hazardous> and just rolled downhill 11:06 <+hazardous> for like three blocks 11:06 <+hazardous> didn't even bother chasing it 11:06 <+pekster> Hmm, not a Dr Pepper, was it? 11:06 <+hazardous> nah, red bull zero 11:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 276 seconds] 11:06 <+hazardous> it just rolled until it disappeared 11:06 <+hazardous> i need to start double bagging but they're 0,10 11:06 <@krzee> i had to fix a server in LA… hd died so i picked up a new one from best buy, $100 for 1tb, $80 for 320gig so i bought the 1tb, turned out my bios couldnt handle the 1tb 11:06 <@krzee> so i went back and got the 320gb lol 11:07 <+hazardous> ..hahahah what 11:07 <@krzee> had to get a new power supply as well 11:07 <@krzee> but then it turned out the shop had connections with the 1 supplier of the mobile devices i needed to buy wholesale, and gave me a great price 11:07 <+hazardous> the shop = best buy? 11:07 <@krzee> so the extra time it took ended up benefitting me, i would not have made the distribution deal otherwise 11:08 <@krzee> no, the guys who im colo'ing with 11:08 <@krzee> although i need to talk to best buy b2b as well, but dont expect a better price from them 11:08 <+hazardous> expect assfucking exclusivity contracts though 11:08 <@krzee> hells no 11:09 <+pekster> Do you get a clause that lets you stay with them exclusively iif they offer you lower prices? :P 11:09 <+hazardous> must order minimum x devices per calendar month 11:09 <+hazardous> orders must increase monthly 11:09 <+pekster> Lame 11:10 <+hazardous> probably offtopic but can anyone recommend me a place that does hosted mail properly 11:10 <+hazardous> just need 3 mailboxes and a catchall 11:11 <+hazardous> google apps not free anymore ;v; 11:12 <@krzee> screw exclusivity and rules with bestbuy 11:13 <@krzee> im using their distributor anyways with no rules 11:13 <@krzee> paying cost + 2% to my contact that has deals with them already 11:13 <@krzee> i could save the 2% but i like working with the guy and thats only like $4 / unit 11:14 <@krzee> and a layer of abstraction feels nice even when not needed at all, habit i guess lol 11:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:17 -!- Assid [~kvirc@unaffiliated/assid] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 11:30 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 244 seconds] 11:32 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 11:41 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 11:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:53 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 11:57 -!- thinkHell [~Hell@ks399220.kimsufi.com] has joined #openvpn 11:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 11:58 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:58 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 12:00 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:01 -!- thinkHell [~Hell@ks399220.kimsufi.com] has quit [Ping timeout: 272 seconds] 12:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:07 -!- Orbi [~opera@anon-163-28.vpn.ipredator.se] has joined #openvpn 12:07 < Orbi> hello 12:08 < fys> Oh god fuck my life. 12:08 < fys> I knew this was going to bite me in the ass sooner or later. 12:08 < fys> I fucking knew it. 12:11 < Orbi> I have a pppoe reconnect at 4am daily 12:12 < Orbi> I wrote this cron job to kill openvpn and bring it back up 12:12 -!- sauce [sauce@unaffiliated/sauce] has quit [Read error: Operation timed out] 12:12 < Orbi> Could somenone have a look, because it's not working: 0 4 * * * root killall openvpn; sleep 20; openvpn --config /tmp/openvpncl/openvpn.conf 12:13 <+pekster> Orbi: What's wrong with using --keepalive and letting it automatically reconnect if the uplink reconnect takes it out? 12:14 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn 12:14 < Orbi> would that also work in case I get assigned a new IP? 12:14 < Orbi> I just checked my config and keepalive 10 30 is enabled 12:14 <+pekster> Orbi: Use --float on the server side, and and if anything on the client side maybe a SIGUSR1 is needed (see the manpage) 12:15 <+pekster> What is the problem client-side when your pppoe reconnect occurs? 12:15 <+pekster> With --keepalive 10 30, your client will notice no later than 30 seconds after a downed connection 12:16 < Orbi> I'm not in charge of the server side :) 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=908277 event_wait : Interrupted system call (code=4) 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=910293 TCP/UDP: Closing socket 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=910567 /sbin/route del -net 93.182.149.130 netmask 255.255.255.255 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=912009 ERROR: Linux route delete command failed: could not execute external program 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=912281 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=913707 ERROR: Linux route delete command failed: could not execute external program 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=913995 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=915425 ERROR: Linux route delete command failed: could not execute external program 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=915612 Closing TUN/TAP interface 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=915769 /sbin/ifconfig tun0 0.0.0.0 12:16 < Orbi> Thu Jan 17 04:00:00 2013 us=917192 Linux ip addr del failed: could not execute external program 12:16 <+pekster> Please don't do that 12:16 <+pekster> Use a pastebin 12:16 < Orbi> sorry 12:16 <+pekster> It's bad form on IRC because it's hard to read and detracts from conversation 12:17 < Orbi> I'll read into SIGUSR1 12:18 -!- nand` is now known as `nand` 12:18 <+pekster> That's probably all you need, although you'll need to stop downgrading your permissions if the server possibly hands you a new IP (looks like you're using --user and/or --group due to the failures to remove routes on disconnect.) 12:19 <+pekster> No need to SIGTERM and then re-launch the client instance as long as it's not completely exiting on you 12:20 < Orbi> I'm indeed running the client with reduced privileges 12:21 <+pekster> You can't do that if you expect a new IP from the server to work after a reconnect event 12:21 <+pekster> Either run an external script to configure routes/addressing for such cases, or don't downgrade permissino 12:21 <+pekster> permission* 12:21 < Orbi> Wouldn't SIGHUP work then? 12:22 <+pekster> No, because you require root access to set the tap IP 12:22 <+pekster> eg: try 'ip addr add 127.0.0.2/8 dev lo' as a non-root user and watch it fail 12:23 <+pekster> It might work with SIGUSR1 and --persist-key --persist-tun, but that will cause you problems if the server assigns you a new IP for whatever reason 12:23 < Orbi> Yes, it might SIGUSR1 -- Conditional restart, designed to restart without root privileges 12:24 < Orbi> It's my ISP's IP that changes daily 12:24 <+pekster> Read the --user option in the manpage, since you'll need the relevant --persist options for that to work 12:25 <+pekster> And you really want --float on the server-side if you expect that to do what you want 12:25 <+pekster> --keepalive will at least reconnect you even if that doesn't work 12:25 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 12:26 <+pekster> Then send the process a USR1 signal rather than the clunky term/wait/restart steps. You can probably hook into your distro's features for DHCP action to do that on-demand and not rely on cron to do it 12:26 <+pekster> (that's the cleaner solution) 12:26 < Orbi> even though my IP address changed? Doesn't the tun interface need to be closed since the ip address changed? 12:27 < Orbi> interesting solution, I'm really getting to learn all this stuff 12:27 <+pekster> Read the --persist-tun option. You can't use USR1 "soft-restarts" when dropping user privs 12:27 <+pekster> Manpage describes that very clearly in the --user option too 12:28 <+pekster> Read about those, SIGUSR1, and --float and you should be able to answer your own quetions 12:28 < Orbi> ok, so at some point it might be a tradeoff between user privileges and functionality? 12:30 < Orbi> I'll look into it, thanks for answering pekster 12:39 -!- Halagan [~Miranda@a4.evona.ba.cust.gts.sk] has quit [Read error: Connection reset by peer] 12:50 -!- nameless` [~nameless@u1c.eu] has quit [Read error: Operation timed out] 12:50 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 255 seconds] 12:51 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn 12:51 -!- nameless` [~nameless@u1c.eu] has joined #openvpn 12:52 -!- mndo [~mndo@bl15-215-4.dsl.telepac.pt] has quit [Quit: going home] 12:52 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has quit [Remote host closed the connection] 12:54 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 12:56 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 12:59 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Ping timeout: 255 seconds] 13:01 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 13:20 -!- raidz is now known as raidz_away 13:21 -!- raidz_away is now known as raidz 13:25 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Ping timeout: 260 seconds] 13:25 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn 13:26 -!- mattock_ [~mattock@raidz.im] has joined #openvpn 13:26 -!- mattock_ [~mattock@raidz.im] has quit [Changing host] 13:26 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 13:26 -!- mode/#openvpn [+o mattock_] by ChanServ 13:27 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn 13:27 -!- thermoman_ [~thermoman@idle.foobar0815.de] has joined #openvpn 13:28 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds] 13:28 -!- mattock_ is now known as mattock 13:30 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 260 seconds] 13:30 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 260 seconds] 13:30 -!- thermoman [~thermoman@idle.foobar0815.de] has quit [Ping timeout: 260 seconds] 13:30 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds] 13:35 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host] 13:35 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn 13:36 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn 13:54 < p47> I can not connect to vpn it says error and I made all I'm trying with ubuntu 13:54 -!- brute11k [~brute11k@89.249.235.236] has quit [Quit: Leaving.] 13:54 < p47> does anbody here can help me ? 13:54 < ngharo> what says error 13:54 < p47> I'm trying to connect windows + ubuntu 13:55 < p47> ngharo, connecting to client has falied 13:59 -!- Radex [br@debian.pl] has left #openvpn [] 14:17 -!- Sickness\ [~stront@unaffiliated/s-work] has joined #openvpn 14:18 < Sickness\> I am connected to the openvpn network at my work from home, I'm trying to connect to a server using putty but it tells me the host does not exist (I only know the hostname of the box) 14:19 < Sickness\> this worked fine before without having to set anything additional 14:20 < Sickness\> I've tried pinging some boxes that I do know should be up but no luck and since I'm connected to the vpn I doubt its a fw issue (which is disabled atm btw) 14:20 <+pekster> Sickness\: Maybe they're not pushing DNS or it doesn't wnork for a variety of reasons (not properly updated in OS, or generic Windows DNS multihoming issues.) Try 'dig @ip-of-corporate-dns hostname-of-interest' (or do it via nslookup or your other favourite resolution tool) 14:22 <+pekster> Making DNS work for Windows clients in a corporate network is rather tricky, and I've written careful client-side code in the past for former employers to make it seemless to users due to the issues around it. You can read about the --register-dns option and add it to your client .ovpn file if you want to try it 14:22 < Sickness\> hm 14:22 < Sickness\> maybe it's windows 8 related, I'm not using that at work 14:23 < Sickness\> since there, it works flawlessly using the same methods (the actual vpn is on a foreign server) 14:23 <+pekster> Near as I could tell using the developer preview, OpenVPN worked on win8 like it did on 7 14:23 <+pekster> It's not like win8 really does anything fundamentally different than 7 besides metro anyway 14:24 < Sickness\> not when it comes to these things for as far as I know no 14:25 < Sickness\> hm, just realized the vpn network might be conflicting with the virtualbox network I have here 14:25 < Sickness\> nope 14:29 < Eduard_Munteanu> Hm, the connection setup code seems rather tightly-coupled with options. 14:31 < Eduard_Munteanu> Is there some helper I can use to set up a new server/client? init_instance seems to rely on option parsing to set up the context etc.. 14:31 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn 14:33 < Eduard_Munteanu> Maybe I should set up a whole new context. 14:34 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 14:35 < Eduard_Munteanu> Is there a developer channel, btw? 14:44 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has joined #openvpn 14:45 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 14:46 -!- TechSmurf [~jdaniel@unaffiliated/techsmurf] has joined #openvpn 14:47 < TechSmurf> Any ideas why I can't snmpwalk a device across a tunnel? 14:49 < Eduard_Munteanu> Ouch, the server multi-client code is a lot of code. 14:52 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 14:55 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 15:14 -!- Orbi [~opera@anon-163-28.vpn.ipredator.se] has quit [Ping timeout: 272 seconds] 15:15 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has joined #openvpn 15:16 < CrashTM> anyone home? 15:16 <+hazardous> dont think so 15:17 < CrashTM> >.> 15:17 <+hazardous> ? 15:18 < CrashTM> why must forwrding a port to a openvpn client be so hard 15:18 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 15:18 <+hazardous> lol what are trying to do 15:18 <+hazardous> i can help google or something but i don't really use openvpn so :x 15:19 < TechSmurf> correction: any ideas why I can't pass udp traffic across a tunnel? 15:19 < CrashTM> i will use minecraft for an example. if a client wanted to host a minecraft server it needs port 25565 to be open. 15:20 < CrashTM> the point of hosting it over a vpn is so that the public ip will not be the clients personal ip 15:21 < CrashTM> i have the server running and it works yet i am unable to forward all the traffic on port 25565 to the client 15:22 <+hazardous> dose the inbound traffic hit the client? 15:22 <+hazardous> in the first place 15:22 <+hazardous> might be return path thats the prob 15:23 < CrashTM> no, when connected to the vpn, the client can not be seen when trying to connect to it 15:23 < CrashTM> when the vpn is not enabeled i can connect to the server fine 15:24 < CrashTM> as soon as i connect it cannot be seen. 15:24 < CrashTM> i have setup static ips for my clients 15:30 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 15:35 -!- thermoman_ is now known as thermoman 15:36 < Sickness\> pff I finally did it on windows 8 15:37 < Sickness\> apparently windows 8 does do something fundamentally different compared to 7 pekster 15:37 < Sickness\> took me ~3 hours to get around this routing issue 15:38 < Sickness\> for anyone who's curious or might run into this in the future with windows 8 clients 15:38 < Sickness\> You need to install "RAS Connection Manager" as a windows feature (under programs and features) 15:38 < Sickness\> and add route-method exe to your openvpn config 15:39 <+pekster> I always use route-method exe with >=Vista 15:39 < Sickness\> I have never been forced to use it in Windows 7 over the past year ;( 15:40 <+pekster> Some of that might depend on local configuration 15:40 <+pekster> RRAS shouldn't ever be required to act as a client; I suspect something else was going on 15:40 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 15:40 <+pekster> I did test the dev preview of Win8, and it added routes normally, at least for a tun setup where I pushed a couple routes along with the connection 15:41 < Sickness\> well this was the only method I got working 15:42 < Sickness\> I have no idea why but installing the RAS connection manager admin kit helped 15:42 < Sickness\> Oh well, just happy it works now, now I can finally fix that live bug :P 15:43 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 260 seconds] 15:47 < CrashTM> anyone? 15:48 < TechSmurf> figured it out.. for some reason the return path was different for snmpwalk than ping 15:49 * TechSmurf thinks 15:49 < TechSmurf> no, ping just didn't care 15:49 < TechSmurf> either way it was sourcing from the tun interface ip, which I hadn't accounted for 15:50 < TechSmurf> dunno why iperf failed over udp, but whatever. snmp is working :P 15:51 <+pekster> CrashTM: If you're forwarding a port on the VPN server's public IP to a VPN client, how are you handling the return routing? 15:52 < CrashTM> great question 15:52 < CrashTM> no idea 15:52 < CrashTM> XD 15:52 <+pekster> You need the client to route the reply packets back across the VPN 15:53 < CrashTM> any idea on how i might do that? 15:53 <+pekster> Either redirect all client traffic via --redirect-gateway, or set up policy routing 15:53 < CrashTM> ok 15:55 <+pekster> Pretty sure you've been shown that a few times before 15:55 <+pekster> Some basic routing knowledge will make your life a lot easier. A lack of understanding why you need your return route for the client's reply traffic across the VPN is going to make understanding what is wrong very hard 15:55 <+pekster> !tcpip 15:55 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 15:56 * TechSmurf nods 15:57 < TechSmurf> basically the traffic has to come back along its original route 15:58 <+pekster> Well, that's not completely true, but it needs to be sourced from the same IP as the original request was bound to 15:58 < TechSmurf> if A sends data to B and expects a reply from B, it won't know what to do if the reply comes from C instead. 15:58 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 15:58 <+pekster> (which in his case means the same thing) 15:58 < Eduard_Munteanu> Depends on rp_filter. 15:58 < TechSmurf> pekster: in my head it just visualizes nicely as a line-return vs loop-return 15:59 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 255 seconds] 15:59 < TechSmurf> but yeah, the point is the replying ip has to match the original dest ip 15:59 <+pekster> Sure, but the reality of the Internet is that 2 packets send right after one another (and each of their return packets) can take different routes depending on network conditions and any issues along the wa 15:59 <+pekster> But yea, the endpoints don't care about routing path, just the IPs/ports matching expected values 15:59 < TechSmurf> as long as none of them somehow get routed over level3 I'm ok. 16:00 < TechSmurf> :P 16:00 < TechSmurf> I really hope that sentiment of mine is outdated and level3 has improved ;) 16:00 <+pekster> I'll keep you off layer3.net and send you through 12 Chinese gateways instead ;) 16:00 <+hazardous> nothing wrong with level3 16:00 < TechSmurf> might be layer3 16:00 <+hazardous> if anything i'd like to yell at cogent 16:01 < TechSmurf> I dunno. back around 2000 when I was mudding one of the backbones was a haven of lag 16:01 <+hazardous> cogent routed me from norcal -> texas -> chicago -> ny -> uk -> germany -> singapore -> aus 16:01 <+hazardous> i just.. i don't know 16:01 < TechSmurf> ouch. 16:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 16:01 -!- p47 [~p47@189.134.208.202] has quit [Quit: Saliendo] 16:01 <+hazardous> that was an amazing 500ms though 16:01 < TechSmurf> :| 16:01 <+hazardous> instead of just going down to sj or la and going over peering 16:01 <+hazardous> at 130-150 16:02 <+hazardous> laughed pretty hard 16:02 <+hazardous> also on another server, ny to nj went through washington dc and chicago 16:02 <+hazardous> cogent -> telia -> he -> telia -> cogent 16:02 < TechSmurf> I like my route to that mud these days.. 16:02 < TechSmurf> twtc -> twtc 16:03 <+hazardous> cable or telecom 16:03 < TechSmurf> tc 16:03 <+hazardous> twtelecom.net is entirely unrelated to time warner cable 16:03 <+hazardous> also what's a mud 16:03 < TechSmurf> text rpg 16:05 < TechSmurf> what irc is to skype, muds are to WoW 16:06 < Eduard_Munteanu> Heh, nice description. 16:06 < Eduard_Munteanu> (stands for multi-user dungeon, btw) 16:06 <+pekster> Ugh, beat me to that :P 16:06 < TechSmurf> (or mush,muck,moo,whatever) 16:07 < TechSmurf> multi-user shared hallucination... 16:07 < TechSmurf> props to whoever coined that one 16:08 < TechSmurf> twtelecom is entirely unrelated to time warner anything anymore 16:09 < TechSmurf> afaik 16:09 < TechSmurf> they were real big on that name change a few years back 16:10 < TechSmurf> regardless, they were the first company to agree to a fiber buildout for us. 16:10 < TechSmurf> it was merely convenient that they already had our t1 16:16 -!- WaffleScratch [~chatzilla@S010600226b8a7cc5.vn.shawcable.net] has joined #openvpn 16:16 < TechSmurf> thanks folks! 16:16 -!- TechSmurf [~jdaniel@unaffiliated/techsmurf] has left #openvpn [] 16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:25 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has joined #openvpn 16:31 -!- dazo is now known as dazo_afk 16:38 -!- WaffleScratch [~chatzilla@S010600226b8a7cc5.vn.shawcable.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 16:43 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 248 seconds] 16:46 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 16:47 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 16:50 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has quit [Ping timeout: 256 seconds] 16:53 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has joined #openvpn 17:14 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds] 17:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:18 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 17:19 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:21 -!- digilink [~digilink@unaffiliated/digilink] has quit [Read error: Operation timed out] 17:26 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 17:26 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 17:27 -!- CrashTM [~CrashTM@cpe-98-144-34-109.wi.res.rr.com] has quit [Quit: Leaving] 17:53 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 17:56 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 18:13 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 18:32 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn 18:32 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has quit [Ping timeout: 255 seconds] 18:33 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has joined #openvpn 18:33 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 256 seconds] 18:34 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has left #openvpn ["WeeChat 0.3.0"] 18:54 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has joined #openvpn 18:54 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has quit [Max SendQ exceeded] 18:55 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has joined #openvpn 19:00 -!- p3rror [~mezgani@2001:0:53aa:64c:18a0:646c:d673:fd05] has quit [Ping timeout: 260 seconds] 19:02 -!- zaki [~guest@93.98.88.82] has quit [Remote host closed the connection] 19:12 -!- p3rror [~mezgani@2001:0:53aa:64c:3c41:646c:d606:ead9] has joined #openvpn 19:17 -!- p3rror [~mezgani@2001:0:53aa:64c:3c41:646c:d606:ead9] has quit [Ping timeout: 260 seconds] 19:21 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 19:27 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Ping timeout: 260 seconds] 19:30 -!- p3rror [~mezgani@2001:0:53aa:64c:30:646c:d673:9b7d] has joined #openvpn 19:31 -!- Eduard_Munteanu [~Eduard_Mu@188.25.7.99] has quit [Read error: Operation timed out] 19:39 -!- p3rror [~mezgani@2001:0:53aa:64c:30:646c:d673:9b7d] has quit [Ping timeout: 260 seconds] 19:52 -!- pnielsen_ is now known as pnielsen 19:55 -!- Controlsfreek [~Controlsf@cpe-69-204-135-43.nycap.res.rr.com] has quit [Quit: Leaving] 19:55 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn 20:01 -!- raidz is now known as raidz_away 20:40 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 20:40 < Wulf> Hi 20:41 < Wulf> Trying to setup openvpn. All packets sent to the remote are not delivered. tcpdump shows them on the tun0 interface, but they are not sent on. The other way round works fine 20:42 < Wulf> what is it that I might be doing wrong? 20:47 -!- brute11k [~brute11k@89.249.235.236] has joined #openvpn 20:56 <+hazardous> iptables rules ? 20:56 <+hazardous> masq / snat / whatever? 21:16 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 256 seconds] 21:34 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 21:38 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Operation timed out] 23:18 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has quit [Ping timeout: 245 seconds] 23:22 -!- ihptru [~ihptru@2a02:2770::21a:4aff:fef3:cdbb] has joined #openvpn 23:33 -!- brute11k [~brute11k@89.249.235.236] has quit [Ping timeout: 276 seconds] 23:36 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 276 seconds] 23:37 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 23:57 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has joined #openvpn --- Day changed Fri Jan 18 2013 00:07 < kunji> Mmmk, well I have the bridge into the network working now, even the UPnP server is working great. What isn't working is getting back out, or more likely back in, from the Internet, can't even ping by ip some on the internet going through the vpn. OpenVPN Server (192.168.1.103, giving out addresses 192.168.1.50 through 192.168.1.99) <-> Gateway Router (192.168.1.1 giving out addresses 192.168.1.100 through 192.168.1.200)<-> Modem (SomeIP) 00:49 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 252 seconds] 00:56 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 01:02 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 01:02 <+pekster> kunji: What is your goal? 01:02 <+pekster> !goal 01:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:15 < kunji> pekster: Ah sorry, you and I have talked about this one before, the immediate goal would be to be able to communicate to and from the internet through the vpn, which is up and working. I know that the bridged vpn may not be suitable for all uses (for instance, yes, a SOCKS proxy would probably have been more suitable for this portion of my original goals), but by now the goal is as much just learning and figuring out how to make it work a 01:24 -!- raidz_away is now known as raidz 01:26 -!- raidz is now known as raidz_away 01:28 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 255 seconds] 01:29 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 01:29 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 252 seconds] 01:29 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 01:29 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 01:33 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 260 seconds] 01:46 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 01:55 -!- p3rror [~mezgani@2001:0:53aa:64c:38a7:692d:d607:23fb] has joined #openvpn 02:12 -!- p3rror [~mezgani@2001:0:53aa:64c:38a7:692d:d607:23fb] has quit [Ping timeout: 260 seconds] 02:18 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has joined #openvpn 02:18 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has quit [Changing host] 02:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:18 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 272 seconds] 03:36 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:40 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Ping timeout: 255 seconds] 03:45 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 03:48 < EugeneKay> !redirect 03:48 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 03:48 <@vpnHelper> http://ircpimps.org/redirect.png 03:56 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 03:56 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:02 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 04:12 -!- brute11k [~brute11k@89.249.230.224] has joined #openvpn 04:13 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Read error: Connection reset by peer] 04:14 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 04:17 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has joined #openvpn 04:20 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:21 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 04:22 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:23 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 276 seconds] 04:24 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Max SendQ exceeded] 04:25 -!- dazo_afk is now known as dazo 04:25 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has joined #openvpn 04:29 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 05:16 -!- larseberhart [~larseberh@77.116.246.247] has joined #openvpn 05:16 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 05:17 -!- larseberhart [~larseberh@77.116.246.247] has left #openvpn [] 05:17 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 05:23 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has joined #openvpn 05:30 -!- corretico [~luis@190.211.93.38] has joined #openvpn 05:34 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has joined #openvpn 05:34 -!- ade_b [~Ade@95.209.204.110.bredband.tre.se] has quit [Changing host] 05:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:42 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 05:53 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Remote host closed the connection] 06:03 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 06:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 06:16 -!- Porkepix [~Porkepix@lns-bzn-28-82-250-139-40.adsl.proxad.net] has quit [Quit: Computer has gone to sleep.] 06:41 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 06:43 -!- [fred]_ [fred@konfuzi.us] has quit [Ping timeout: 240 seconds] 06:44 -!- [fred] [fred@konfuzi.us] has joined #openvpn 07:06 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 255 seconds] 07:14 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Remote host closed the connection] 07:19 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has joined #openvpn 07:25 -!- samba35 [~shrikant@unaffiliated/samba35] has joined #openvpn 07:25 -!- corretico [~luis@190.211.93.38] has quit [Quit: Leaving] 07:25 < samba35> d12fk, hi 07:26 -!- corretico [~luis@190.211.93.38] has joined #openvpn 07:43 -!- larseberhart [~larseberh@212095007036.public.telering.at] has joined #openvpn 07:45 -!- larseberhart [~larseberh@212095007036.public.telering.at] has quit [Client Quit] 07:47 < mjixx_> does the redirect-gateway option work with ipv6? 07:48 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:48 -!- fu_fu [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 07:48 -!- desmo [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has joined #openvpn 07:49 < desmo> can openvpn on windows run a client and a server ovpn file with the server process at the same time? 07:51 <+rob0> desmo, probably, but the necessity that you know what you're doing (understand IP routing) will increase dramatically. 07:54 < desmo> rob0, you mean because of the route looping? 07:57 <+rob0> that could happen! 07:58 < Rienzilla> yeah i'm quite certain it's possible 07:58 < Rienzilla> and fully support rob0's statement :D 07:59 < desmo> ya, i have seen it too, it is a most obvious routing issue ;) 08:04 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has joined #openvpn 08:14 < dioz> looping routes? 08:16 -!- brute11k [~brute11k@89.249.230.224] has quit [Ping timeout: 255 seconds] 08:17 < desmo> like when you have a router referring subnet routes to a subnet that has a router(sometimes a dhcp server) that refers back to the first router 08:19 -!- brute11k [~brute11k@89.249.231.136] has joined #openvpn 08:32 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 08:32 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Read error: Connection reset by peer] 08:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn 08:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has left #openvpn [] 08:48 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 08:58 -!- Netsplit *.net <-> *.split quits: Sickness\ 09:00 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has joined #openvpn 09:01 <+pekster> desmo: I do that sometimes to test platform operation on Windows; the only real trick is to use 'nobind' if you're connecting to the loopback adapter 09:01 <+pekster> (and of course you need a 2nd tap device, via 'tap-windows.exe' in 2.3.0 since it's missing the 'addtap.bat' utility by default 09:05 < BasicXP> Good time of the day, everyone! Got a problem here regarding client configuration directory. Followed the manual on the website on how to assign static addresses to clients. 09:05 <@ecrist> morning, folks 09:05 < BasicXP> However whatever I do, the client still receives wrong addresses (IPv4 and IPv6). 09:05 < BasicXP> Could that be because the CN has a space in it? 09:06 < BasicXP> Thanks in advance for any help or advice. 09:08 <+pekster> BasicXP: See the section in the manpage listed under 'String Remapping' 09:08 <+rob0> Heh. Why are you putting spaces in CNs? :) Unix filenames can have spaces, also, but those must be escaped. 09:09 <@ecrist> BasicXP: my general SOP is to keep spaces out of CN 09:09 <@ecrist> also filesnames 09:09 <+pekster> BasicXP: The exact section you need is titled 'String Types and Remapping' 09:09 < BasicXP> pekster: thank you, will look into it 09:10 < BasicXP> ecrist: the file name has a space, it was created with touch "Common Name" 09:10 <+pekster> It's not against X509 policy to use space, but for best ovpn ease of use you should stick to the standard characters, or use the advanced option to avoid remapping (and write any code you use in hooks/scsripts very carefull to avoid quoting bugs) 09:10 <@ecrist> BasicXP: you can do whatever you want, it's generally a good practice to keep spaces out of file names, though 09:10 <+rob0> ah, look like you wanted "Common_Name" 09:11 <+pekster> well, or the --no-name-remapping option (depending on usecase and level of comfort managing potential string escapes if custom scripts are involved) 09:11 <+pekster> Nothing says trouble like the boss wanting to know why an attacker was able to exploit your VPN login ;) 09:13 < BasicXP> it will be much easier to rename the client config file for me, replacing a space with an underscore 09:13 < BasicXP> let me try it out 09:14 -!- Sickness\ [~stront@wolfenstein.enemyterritory.org] has joined #openvpn 09:15 < BasicXP> that did the trick, thank you all very much for help! really appreciate it. 09:19 -!- BasicXP [~basicxp@ubuntu/member/BasicXP] has quit [Quit: Have to go. Good bye!] 09:32 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 09:40 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 09:44 -!- samba35 [~shrikant@unaffiliated/samba35] has quit [Ping timeout: 256 seconds] 09:46 -!- desmo [~Adium@c-71-200-223-226.hsd1.fl.comcast.net] has left #openvpn [] 09:57 -!- samba35 [~shrikant@219.64.91.253] has joined #openvpn 10:06 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 10:07 < kjs> Is there a way to set a route client side? 10:08 < kjs> in the ovpn file ? 10:08 <+pekster> Yup, via the 'route' directive 10:08 < kjs> route 10.255.0.0/24 10.25.8.69 ? 10:09 <+pekster> You need the netmask as its own separate parameter (see --route in the manpage for usage) 10:09 <+pekster> But yes, that's the premise 10:09 < kjs> route 10.255.0.0 255.255.555.0 10.25.8.69 10:09 <+pekster> Normally you don't use the IP since it'll be determined as your peer endpoint 10:10 <+pekster> You've got some variables availble too to define common IPs based on your connection context 10:12 < kjs> k thanks 10:18 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 10:22 -!- master_of_master [~master_of@p57B55F39.dip.t-dialin.net] has quit [Ping timeout: 240 seconds] 10:23 -!- master_of_master [~master_of@p57B53191.dip.t-dialin.net] has joined #openvpn 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 10:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:36 -!- Devastator [~devas@unaffiliated/devastator] has quit [] 10:39 -!- corretico [~luis@190.211.93.38] has quit [Ping timeout: 272 seconds] 10:41 -!- izibi [~julian@unaffiliated/izibi] has left #openvpn [] 10:44 -!- corretico [~luis@190.211.93.38] has joined #openvpn 10:48 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:49 -!- lurpy [~test003@soho-94-143-249-78.sohonet.co.uk] has quit [Quit: leaving] 10:53 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has quit [Ping timeout: 248 seconds] 10:57 -!- [Xaronic] [~Xaronic]@occupyuk.co.uk] has joined #openvpn 11:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:00 -!- mode/#openvpn [+v s7r] by ChanServ 11:03 -!- raidz_away is now known as raidz 11:04 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 11:07 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 11:08 -!- swat [~swat@ubuntu/member/swat] has joined #openvpn 11:09 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 260 seconds] 11:10 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 11:14 -!- Porkepix [~Porkepix@LMontsouris-156-24-53-197.w193-253.abo.wanadoo.fr] has quit [Quit: Computer has gone to sleep.] 11:14 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 11:19 -!- KaiForce [~chatzilla@adsl-70-228-65-227.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0/20130104151925]] 11:20 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:26 -!- RAWR254 [~androirc@71.36.146.65] has joined #openvpn 11:28 < RAWR254> Morning folks. I have a question. I have a router that needs ipv6 support over openvpn. Is there a 2.3.0 mips build out or would i have to compile it? 11:28 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 11:28 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 11:29 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 11:30 < RAWR254> Latest build i have found seems to be 2.2.2 for mipsel 11:33 < RAWR254> Mind you i cant do a dev tap due to the other end being a vps 11:34 <+pekster> RAWR254: Someone was here a week or so ago that mentioned some build issues for 2.3.0 under mips (OpenWRT I think, or maybe dd-wrt.) I'm not aware of a 2.3.x branch build for a mips platform, but I haven't really looked that hard personally 11:34 <+pekster> If you get it working, I'm sure the *WRT and/or openvpn mailing list would be interested to hear how you resolved any issues that popped up 11:35 < RAWR254> Pekster: if i cant get the ipv6 over dev tun to work, is it possible to use dev tap to link a router to a vps server? 11:36 <+pekster> Yea, and then serve IPv6 over the Ethernet link 11:37 <+pekster> There are a set of IPv6 patches to some of the 2.2.x branches too, but I'm not sure if any potential build issues are with IPv6 specifically, or other 2.3 branch stuff 11:37 < RAWR254> Awesome! Here i was thinking i couldnt because the vps only has the global ip on eth0 11:37 <+pekster> I'm not really the guy to ask about specifics, so I'm just passing on what I've heard 11:37 <+pekster> Sadly, I'm stuck on the IPv4-only Internet, for now 11:38 < RAWR254> My vps has a he.net tunnel 11:38 < RAWR254> So ipv6 is going to blow 11:38 <+pekster> I do have a nice fancy fe00::/8 network though ;) 11:38 < RAWR254> But oh well 11:38 <+pekster> ff* 11:39 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:39 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:39 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:40 < RAWR254> Pekster: doesnt tap bridge interfaces so that my local network would show up on the network that eth0 is on? 11:40 <+pekster> Rigiht 11:40 <+pekster> It operates similar to how a physical network switch would 11:41 <+pekster> You need to configure the bridge at the OS level; eg: Linux uses a 'br0' interface and you manage it with brctl to add eth0 and tap0, for instance 11:42 < RAWR254> I dunno if the datacenter would like a 192.168.x.x network showing up 11:42 <+pekster> The client needs an IP valid on the target network 11:42 <+pekster> Just like if you put a random machine on your home LAN with 10.50.100.7/24, it's not going to magically work unless you have a gateway on that same subnet also on your home LAN 11:43 < RAWR254> well that poses an issue 11:43 <+pekster> To use a tap device with the rest of the IP-Internet, you still need an IP and a gateway and such 11:43 <+pekster> think of tap like a "really big virtual Ethernet cable" 11:43 <+pekster> And that's it 11:43 < RAWR254> Guess ill have to look at a tun ipv6 patch 11:44 <+pekster> (ovpn can manage a virtual IP network for you too on top of tap, but the low-level tap device is still just emulating Ethernet under the hood) 11:45 <+pekster> I'm not sure what the problems the last person to play with 2.3.x under MIPS were; your luck may vary if you're familiar with building code and aren't afraid to look into any errors you might get 11:45 <+pekster> For all I know they're fairly simple, but I don't need IPv6 on my OpenWRT openvpn setup, so I'm happy to use whatever the feeds provides for a version :P 11:48 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 11:49 -!- RAWR254 [~androirc@71.36.146.65] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 11:49 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:49 < Valcorb> Hello,, can anyone help me? 11:50 < Valcorb> i need to install a second tap driver 11:50 < Valcorb> but i can't find tapinstall.exe in the bin folder 11:50 <+pekster> Valcorb: What openvpn version? 11:50 < Valcorb> 2.3.0 11:50 <+pekster> In your install root, you should have a .\bin\tap-windows.exe 11:50 <+pekster> Run that, and select the optional 'Utilities' checkbox 11:51 <+pekster> Then in the install dir for the TAP-Win32 folder, you'll get the usual addtap.bat and deltapall.bat files 11:51 < Valcorb> Hmm, i can't find the file 11:51 < Valcorb> http://i.imgur.com/dE3H3.png 11:52 <+pekster> Valcorb: Weird. Well, break open the openvpn installer you downloaded with 7-zip and you can find it in the .\$TEMP\ path too 11:53 <+pekster> I'm using the 64-bit 2.3.0 official release, but I *though* I teseted it and saw the tap-windows.exe thing there. Maybe I was mistaken, or maybe it was installed as an optional component I checked during install 11:53 <+pekster> thought* 11:53 < Valcorb> hmm 11:54 <+pekster> 7-zip should get it for you either way since it's part of the release download 11:54 < Valcorb> yeah 11:54 < Valcorb> lemme get 7zip 11:54 < Valcorb> one sec 11:56 <+pekster> Now I'm curious enough to get my dusty XP-32-bit VM updated to try a generic install of 2.3.0 to see what happens 11:59 < Valcorb> pekster, thanks, that fixed it 11:59 < Valcorb> it sohuld work 11:59 < Valcorb> if its compatible with XP 11:59 < Valcorb> lol 11:59 <+pekster> Well, I want to see if that tap-windows.exe is installed by default using only default installer options in the \bin\ dir 12:00 < Valcorb> oh i c 12:00 <+pekster> It's still a hassle that between 2.2 and 2.3 the 2 batch files were removed from the tap-win32 installation 12:00 <+pekster> I mean, the driver and tapinstall.exe are still there, but not the frontend scripts and ini file to actaully do it from userland 12:03 < Valcorb> yeah 12:03 < Valcorb> i noticed 12:06 <+pekster> Interesting, the file I referenced is not there post-install on 32-bit, even with all the optional stuff checkced 12:06 <+pekster> Further, the build of the openvpn installer is not current with the git master becuase it's clearly missing the extra command-line value to install the utilities by default: 12:06 <+pekster> "C:\DOCUME~1\Josh\LOCALS~1\Temp\tap-windows.exe" /S 12:07 <+pekster> /S is for a silent NSIS install, but it's missing the /SELECT_UTILITIES value 12:07 <+pekster> Looks like a build issue then 12:07 <+pekster> I'll verify what I just stated in the code, then email the dev mailing list; hopefully 2.3.1 can fix that 12:08 < Valcorb> yeah 12:08 < Valcorb> p much 12:08 <+pekster> Thanks for stopping by; I looked a bit at the code, but not quite enough to fully track down the installation dissrepency against what I saw in it 12:08 <+pekster> Now I have the info I should need to generate a proper bugreport ;) 12:09 <+pekster> Valcorb: Are you on a 32 or 64 bit OS? 12:09 < Valcorb> 64 bit 12:09 < Valcorb> windows 8 12:09 < Valcorb> i'd love to get win7 12:09 < Valcorb> tho 12:10 <+pekster> classicshell.sf.net if you want your precious start menu back (open-source project too) 12:10 < Valcorb> Yeah i saw it 12:10 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 12:10 < Valcorb> i got the windowblinds tool 12:11 -!- josheee12 [~jsteiner@131.91.7.1] has joined #openvpn 12:12 -!- josheee12 [~jsteiner@131.91.7.1] has left #openvpn [] 12:18 < kjs> Buy a mac... 12:33 -!- bauruine [~stefan@91.236.116.112] has quit [Read error: Connection reset by peer] 12:39 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds] 12:56 -!- kyrix [~ashley@chello084112114196.33.11.vie.surfer.at] has quit [Quit: Ex-Chat] 13:15 -!- Freeaqingme [~Freeaqing@91.214.168.110] has joined #openvpn 13:15 < Freeaqingme> Hi. Is it possible to forward all web traffic to my vpn, without the redirect-gateway option being pushed by the server itself? (on some clients I do want to redirect, on others I dont) 13:16 <+pekster> Freeaqingme: You can push that from the server in a ccd file or via a --client-connect script 13:17 <+pekster> Optionally, the client itself can specify 'redirect-gateway' locally, or you can do the equivelent route operations by hand or by script on the client end too 13:29 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 272 seconds] 13:31 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 13:33 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn 13:36 -!- else- [~else@towely.iodev.org] has joined #openvpn 13:36 < else-> is it possible to push routes in p2p-mode? 13:38 <+pekster> else-: No, you can't use the --client or --pull directives outside of the multi-client mode 13:38 < else-> ok, thanks! 13:40 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:41 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:44 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 13:46 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:49 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 13:49 -!- samba35 [~shrikant@219.64.91.253] has quit [Remote host closed the connection] 13:51 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 14:02 -!- brute11k1 [~brute11k@89.249.230.101] has joined #openvpn 14:03 -!- brute11k [~brute11k@89.249.231.136] has quit [Ping timeout: 256 seconds] 14:09 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 14:19 -!- Orbi [~opera@anon-149-82.vpn.ipredator.se] has joined #openvpn 14:42 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 14:54 < Freeaqingme> pekster, Thanks, works! 14:54 <+pekster> :) 15:26 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Operation timed out] 15:27 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 15:56 -!- cutaliviu [~liviusfus@79.118.219.39] has joined #openvpn 15:56 -!- cutaliviu [~liviusfus@79.118.219.39] has quit [Client Quit] 16:01 -!- cutaliviu [~cutaliviu@79.118.219.39] has joined #openvpn 16:02 -!- dazo is now known as dazo_afk 16:08 -!- Mimiko [~Mimiko@89.28.88.177] has quit [] 16:30 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:31 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 246 seconds] 16:48 -!- p3rror [~mezgani@41.249.102.205] has joined #openvpn 16:53 -!- p3rror [~mezgani@41.249.102.205] has quit [Ping timeout: 245 seconds] 16:58 -!- cutaliviu [~cutaliviu@79.118.219.39] has quit [] 17:05 -!- p3rror [~mezgani@41.249.83.35] has joined #openvpn 17:20 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 17:25 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [] 17:33 -!- p3rror [~mezgani@41.249.83.35] has quit [Ping timeout: 245 seconds] 17:48 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 17:52 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 18:04 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 18:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 18:16 -!- AlbinoGeek [AcademyInt@academyintl/director/AcademyIntl] has joined #openvpn 18:16 < AlbinoGeek> !logs 18:16 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 18:17 < AlbinoGeek> !logfile 18:17 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info 18:19 < AlbinoGeek> :) That fixed everything. 18:19 < AlbinoGeek> Oh how wonderful it is when channels have USEFUL topics... 18:19 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in] 18:19 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....] 18:20 -!- raidz [~raidz@raidz.im] has joined #openvpn 18:20 -!- raidz [~raidz@raidz.im] has quit [Changing host] 18:20 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 18:20 -!- mode/#openvpn [+o raidz] by ChanServ 18:20 -!- mattock [~mattock@raidz.im] has joined #openvpn 18:20 -!- mattock [~mattock@raidz.im] has quit [Changing host] 18:20 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 18:20 -!- mode/#openvpn [+o mattock] by ChanServ 18:20 < AlbinoGeek> Now that I've configured and successfully started OpenVPN server v2.3.x on my CentOS 5 box, and iptables forwarded (with masquarade) the private section; with ipforward enabled in sysctl.. how do I go about configuring the client? 18:21 < AlbinoGeek> I'm guessing OpenVPN requires the OpenVPN client ; (doesn't emulate PPTP/SSTP/any VPN that windows natively supports.) 18:24 < EugeneKay> It's the same `openvpn` binary whether you're in --server or --client mode 18:25 < EugeneKay> In any case, yes, you need to download the openvpn for windows app 18:25 < EugeneKay> !download 18:25 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only 18:25 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs 18:25 < EugeneKay> This installs a special TUN/TAP device(as a network adapter) and handles the magic of routing tables, etc 18:28 < EugeneKay> You built 2.3.0 for CentOS5? You can just get a package for it, though it'll be the older 2.2(I think... might be 2.1 still) 18:28 < EugeneKay> Most sane people have updated to 6 anyway 18:30 < AlbinoGeek> EugeneKay: Thank you. In the case of the Linux, I built everything myself and got everything working. It was nice. 18:30 < AlbinoGeek> But yeah, as per the Windows version I didn't know what to do. 18:31 < AlbinoGeek> Linux always "just works"; I don't get how people stand Windows 18:31 < EugeneKay> It works fine for me :-p 18:31 < EugeneKay> I've messed with my registry far less than I used to argue with xorg.conf 18:31 < AlbinoGeek> EugeneKay: I avoid X :) 18:31 < EugeneKay> I also have 6 monitors, and half the displays are powered by hardware that doesn't have linux drivers AT ALL, so.... 18:32 < AlbinoGeek> EugeneKay: But yeah, with Windows... the builtin VPN adapter was the only one I could get working for the longest time.. 18:32 < AlbinoGeek> But then suddenly PTTPD (PoPToP) stopped being updated / working on linxu anymore. so I had to move to OpenVPN finally 18:32 < EugeneKay> The openvpn installer does it's thing 18:32 -!- UberDuper [~UberDuper@wsip-174-77-66-158.ph.ph.cox.net] has left #openvpn [] 18:32 < EugeneKay> The only caveat is that you need to start the GUI bit as Admin 18:32 < AlbinoGeek> EugeneKay: Yes, but OpenVPN GUI won't open :) 18:32 < AlbinoGeek> And I have UAC disabled before you ask. 18:33 < EugeneKay> Are you feeding it a config file? 18:33 < AlbinoGeek> EugeneKay: Well no, it's a GUI. I just started it from the start menu; and it's done nothing; no window, no file open dialog, no configuration, no tray icon, etc. 18:34 < EugeneKay> Aha. 18:34 < EugeneKay> !ovpn 18:34 <@vpnHelper> "ovpn" is (#1) OpenVPN GUI will load config files with a .ovpn extension when double-clicked. or (#2) this is the same config file format as the standard .conf , just renamed to prevent extension collisions on Windows 18:34 < AlbinoGeek> I'm sitting in the config-file directory atm, but yeah. 18:34 < EugeneKay> Create a config file, name it foo.ovpn 18:34 < EugeneKay> Right click it and run 18:34 < AlbinoGeek> What's the default file loaded by the GUI ? 18:34 < EugeneKay> No clue. 18:34 < AlbinoGeek> ie: default.ovpn or something like that? 18:34 < AlbinoGeek> As it appears to have loaded something, TUN is up and running. 18:34 < EugeneKay> I know that if you use the Service it will load c:\ 18:35 < EugeneKay> c:\Program Files (x86)\Openvpn\config\ or so 18:35 < EugeneKay> (I'm on my desktop, which doesn't have openvpn installed) 18:35 < AlbinoGeek> C:\Program Files\OpenVPN\config 18:35 < EugeneKay> Sounds right 18:35 < AlbinoGeek> Well, I'm here; but what's the default file's NAME ? 18:36 < EugeneKay> AFAIK it's just whatever is in that directory; but this is for the Service. I don't think invoking the GUI by itself does anything 18:36 < EugeneKay> There should be a tray icon you cna interact with 18:36 < EugeneKay> Try running 18:36 < EugeneKay> !win_shortcut 18:36 < AlbinoGeek> Yeah, the tray icon is pretty useless. "Settings / Exit" Settings shows proxy settings, and nothing else. 18:36 < EugeneKay> !winshortcut 18:36 <@vpnHelper> "winshortcut" is To start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0 18:36 < EugeneKay> That isn't \"ed right, but you get the idea 18:37 < EugeneKay> I typically put my config files in c:\Users\eugene\openvpn\, rather than in the Program Files\config dir 18:37 < AlbinoGeek> Okay so let's see... time to copy server config into client config (as per tun/tap etc) 18:37 < EugeneKay> (I kepe UAC enabled) 18:37 < EugeneKay> Yup, make up a standard client config file 18:37 < AlbinoGeek> Server is running... tun, alright. What else needs to be the same? Port obvs. 18:37 < AlbinoGeek> Proto set 18:38 < EugeneKay> Off the top of my head.... remote, rport, tls-client, ca, cert, key, pull 18:38 < EugeneKay> Those are the minimum settings 18:38 < EugeneKay> Oh, and proto 18:38 < AlbinoGeek> So what, download ca.crt from the server, and gen a client certificate ? 18:39 < AlbinoGeek> Because ca cert and key both say "client" in this config, but should they be the same keys as the server? (this is really odd to me, standard RSA just has you get a private key...) 18:39 < EugeneKay> Ya, you need to have a client.key and client.crt, if you're doing cert-based auth(the default and sane thing) 18:39 < AlbinoGeek> My server is a proper CA, so creating an RSA certificate for the OpenVPN server was easy, but what do I put on the client now? 18:39 < EugeneKay> No, you should have separate keys/certs for each machine in the setup 18:40 < AlbinoGeek> Uhh what? 18:40 < EugeneKay> Insteading of specifying the TLS Server extension in openssl you specify TLS Client 18:40 < EugeneKay> One CA; many different certs. 18:40 < AlbinoGeek> Yeah see, now you've lost me. In standard tunneled SSL connections (such as NX, SSH, etc) I generate a certificate on the server, then get myself a copy of the certificate on my local machine, the server keeping the private key. 18:41 < EugeneKay> Yeah, this is different 18:41 < AlbinoGeek> Then that being the authenticator :x 18:41 < EugeneKay> BOTH ends verify the identity of the other against the CA 18:41 < AlbinoGeek> Yeah, well now I have no idea; because OpenSSL-rsakeygen doesn't run on this box at all (Windows). So how would I even gene a cert here? 18:41 < EugeneKay> It's akin to how cert-based email works. You have a client cert and a server cert, both are checked. 18:41 < EugeneKay> Typically you gen on the server(or elsewhere) and then SCP it 18:42 < EugeneKay> !xca 18:42 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 18:42 < EugeneKay> That works on Windows, if you really want to do proepr CSRs, but it's more pain than it's worth IMO 18:42 < AlbinoGeek> Well, easy-rsa isn't an issue; I can generate a second cert on the server if that's all I have to do.. but yeah. 18:42 < EugeneKay> Just easy-rsa on the server, SCP+delete from server 18:42 < AlbinoGeek> EugeneKay: Well, my server is a proper CA; so I do have to do the CSR / etc to get the key. 18:42 < AlbinoGeek> Does OpenVPN respect CRL by the way? 18:42 < EugeneKay> Yup, --crl option 18:43 < AlbinoGeek> Ahh good. 18:43 < EugeneKay> I believe it expects DER format, but don't quote me on that 18:43 < AlbinoGeek> Ehh, the CA spits out CRL in all formats; so it shouldn't be an issue. 18:43 < EugeneKay> I'm guessing you're talking about the red hat CA tools? 18:44 < AlbinoGeek> EugeneKay: inhouse software. 18:44 < EugeneKay> Ah, fun 18:44 < AlbinoGeek> So, in keys on the server I have... hundreds of files, wtf did easy-rsa do:x 18:44 < EugeneKay> easy-rsa has a ./build-req command that you can use 18:45 < AlbinoGeek> This is what confuses me though ,following to this point a guide on https://safesrv.net/install-openvpn-on-centos/ 18:45 <@vpnHelper> Title: SafeSrv Installing OpenVPN on CentOS 5 and CentOS 6 (at safesrv.net) 18:45 < EugeneKay> Guides are useless :-p 18:45 < AlbinoGeek> They do not specify key or cert on the client, only the CA 18:45 < AlbinoGeek> Then they use linux system login 18:46 < AlbinoGeek> The only different lines in client they specify are: ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3 18:46 < EugeneKay> Yeah, client-cert-not-required 18:46 < AlbinoGeek> EugeneKay: client-cert-not-required isn't specified on the server. 18:46 < EugeneKay> In their guide it is 18:46 < EugeneKay> Which is a terrible idea 18:46 < AlbinoGeek> Nevermind, I saw it. 18:46 < EugeneKay> !howto 18:46 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 18:47 < EugeneKay> That's the only thing we really support here, guide-wise ^ 18:47 < AlbinoGeek> Welp, OpenVPNs "derp I need to authorize myself" seems pretty terrible so far... 18:47 < AlbinoGeek> http://www.secure-computing.net/openvpn/howto.php <-- I was there 18:47 <@vpnHelper> Title: SCN: OpenVPN IRC Channel Policy (at www.secure-computing.net) 18:47 < AlbinoGeek> Note how it has no steps as such as "here are some things you need to consider" 18:47 < EugeneKay> Same thing 18:47 < AlbinoGeek> Which was nice, but yeah 18:47 < EugeneKay> Yeah, that doc could use righting 18:48 < EugeneKay> writing 18:48 < AlbinoGeek> (not to mention half the commands are only there for Windows servers... which is terrible) 18:48 < EugeneKay> Brb, need more booze, and to play with fire 18:48 < AlbinoGeek> Heh, Windows Server ^ 18:51 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 18:52 < AlbinoGeek> Right so, I need to install the CA.CRT on all client machines; and distribute to each client a pair of crt/key client files 19:01 < EugeneKay> Correct 19:09 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 256 seconds] 19:09 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 19:18 < AlbinoGeek> EugeneKay: Yeah... if I rewrite this docs here to actually be useful and less technical, who would I go about submitting it to to be reviewed or used somewhere here? 19:19 < AlbinoGeek> Because yeah, these docs have a lot of things that just confuse people, a lot of parts you go to that don't stream into any other points, "orphaned" or "deadend" pages everywhere. 19:19 < AlbinoGeek> It's hard to follow 19:19 < EugeneKay> !wiki 19:19 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 19:19 < EugeneKay> Write it up on the official wiki and we can add/edit the bot factoids as needed 19:19 < EugeneKay> A list of "gotchas" and things to consider would be a good start 19:20 < AlbinoGeek> Like, even the CORE things on this documentation are wrong. 19:20 < AlbinoGeek> Such as the location of the "docs" folder on your system. 19:20 < EugeneKay> That's highly build-dependant :-p 19:20 < EugeneKay> !dev 19:20 <@vpnHelper> "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 19:21 < EugeneKay> Eh, not what I was after 19:21 < AlbinoGeek> EugeneKay: Perhaps, but " /usr/share/doc/openvpn-2.0" doesn't help any redhat person, since /usr/local/share is used for docs. Somewhere OpenVPN didn't even put its docs. 19:21 < AlbinoGeek> On my system, OpenVPN didn't even comes with docs. None in the tar, none in the RPM, none even with yum. 19:21 < EugeneKay> In the packages it is in /usr/share/openvpn/ 19:21 < AlbinoGeek> So.. when the guide references "default config" there are none. 19:22 < AlbinoGeek> EugeneKay: Nope 19:22 < EugeneKay> It is in.... well, lemme see which package this is 19:22 < AlbinoGeek> EugeneKay: /usr/share/openvpn/plugins/lib/ only has two files 19:22 < AlbinoGeek> And that's literally the only thing there. 19:22 < AlbinoGeek> :P 19:22 < EugeneKay> In any case, this is more of a #openvpn-devel question 19:23 < EugeneKay> If you're willing to take on these things and genuinely make it better I'm sure they'll accept your work 19:23 < EugeneKay> But it's a non-trivial thing :-p 19:23 < EugeneKay> I personally only care as far as getting people up & running 19:23 < EugeneKay> The openvpn package I use is from EPEL 19:23 < AlbinoGeek> ^ It's not that hard, writing technical documents is something I have to do quite often, and there's nothing technical about a technical document you submit to computer illiterate people (something I do quite frequently.) 19:23 < AlbinoGeek> :P 19:23 < EugeneKay> I'm on a Scientific Linux 6 system 19:23 < AlbinoGeek> Ahh 19:24 < AlbinoGeek> Scientific Linux 6 being the only sane rhel6 core 19:24 < EugeneKay> Repoforge also provides an openvpn rpm, through 2.2.2 19:24 < EugeneKay> But I only use them when I HAVE to. 19:24 < AlbinoGeek> EugeneKay: 2.3 has many nice features I needed. 19:24 < AlbinoGeek> And compiling something is trivial in linux. 19:24 < EugeneKay> I haven't bothered to rebuild the srpm with 2.3 yet 19:25 < EugeneKay> I don't need ipv6 tunneling, though I ought to 19:25 < AlbinoGeek> wget url; tar xfz file; ./configure; make; make docs; make install 19:25 < AlbinoGeek> Rebuilding the RPM actually failed for me on rhel5. No error. 19:25 < EugeneKay> I won't judge CentOS vs SL; aside from the fact that SL6 was released months before CentOS6(the reason I moved over) 19:25 < AlbinoGeek> So I just compiled it. 19:25 < EugeneKay> I prefer to stay within the package manager when possible 19:25 < EugeneKay> It helps with sanity 19:25 < AlbinoGeek> Hmm, what is one of the default doc files names ? 19:26 < EugeneKay> No clue. I always just refer to the man page 19:26 < AlbinoGeek> Found it 19:26 < EugeneKay> Really though, see -devel :-p 19:26 < EugeneKay> They know a LOT more about all this than I do 19:26 < AlbinoGeek> On CentOS5 when using compiled docs it sits in: /usr/share/doc/openvpn-2.3.0/sample-config-files/ 19:26 < EugeneKay> Sounds right 19:27 -!- raidz is now known as raidz_away 19:27 < AlbinoGeek> So, without a "local" line it will bind to 0.0.0.0 yeah? 19:27 < EugeneKay> Yup 19:28 < AlbinoGeek> And should I need to push any settings for a standard setup? 19:28 < EugeneKay> WHere "standard" means "minimum", correct. 19:29 < EugeneKay> The most basic of VPNs is just a p2p link 19:29 < AlbinoGeek> And what of redirect-gateway ? 19:29 < EugeneKay> Note: I ALWAYS specify "topology subnet" 19:29 < EugeneKay> !topology 19:29 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this. 19:29 < EugeneKay> !/30 19:29 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 19:29 < EugeneKay> That's just a quick command to do the commonly-wanted "send all my internet traffic via the vpn" 19:29 < EugeneKay> !redirect 19:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 19:29 <@vpnHelper> http://ircpimps.org/redirect.png 19:30 < AlbinoGeek> Well, ipforward is already configured in sysctl, what else may i have to do? 19:30 < AlbinoGeek> I have enabled push for redirtect-gateway and enabled iptables masquarade. 19:31 < EugeneKay> Flowchart ;-) 19:31 < AlbinoGeek> Reading... 19:31 < AlbinoGeek> "VPN IP" being the default gateway when connected as seen by the client? 19:32 < EugeneKay> The IP address on the VPN link 19:32 < EugeneKay> eg, 10.8.0.1 19:32 < EugeneKay> If you use --topology subnet it gets a LOT easier to work with 19:32 < EugeneKay> Hence why I always use it. Always. 19:32 < AlbinoGeek> Well, I have no access to options sent to openvpn. 19:32 < EugeneKay> There are no good reasons to stick with !/30 19:32 < AlbinoGeek> (only the config file, and it doesn't take "topology" as an operand for whatever reason) 19:33 < EugeneKay> The config file? A line containing just "topology subnet" should do it find 19:33 -!- Orbi [~opera@anon-149-82.vpn.ipredator.se] has quit [Quit: Orbi] 19:33 < AlbinoGeek> EugeneKay: Yeah, it's erroring on that line, moment while I paste logs 19:33 < EugeneKay> !paste 19:33 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 19:33 < AlbinoGeek> Saw that one already in the topic :) !logs 19:34 < EugeneKay> !forget paste 2 19:34 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:34 < AlbinoGeek> !whoami 19:34 <@vpnHelper> I don't recognize you. 19:34 < AlbinoGeek> Lol 19:34 < AlbinoGeek> EugeneKay: Seems you need to auth :) 19:34 < EugeneKay> !learn paste as https://gist.github.com or http://www.pastebin.ca/ are great places to use 19:34 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:34 < EugeneKay> What the 19:34 < EugeneKay> Gah, brb 19:34 < EugeneKay> I forget I changed my hostmask 19:35 < AlbinoGeek> EugeneKay: I wouldn't say pastebin.ca to be honest, probably gist.github.com or pastie.org 19:35 -!- EugeneKay [eugene@go-without.me] has quit [Quit: ZNC - http://znc.in] 19:35 -!- EugeneKay [eugene@itvends.com] has joined #openvpn 19:35 < AlbinoGeek> Welcome back. 19:35 < AlbinoGeek> itvends 19:35 < AlbinoGeek> ahah 19:35 < EugeneKay> !paste 19:35 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 19:36 < EugeneKay> ;-) 19:36 < EugeneKay> Check the site 19:36 < EugeneKay> !forget paste 2 19:36 <@vpnHelper> Joo got it. 19:36 < AlbinoGeek> Eww, pastebin.ca is literally pastebinscript from pastebin.com :( 19:36 < EugeneKay> !learn paste as https://gist.github.com 19:36 <@vpnHelper> Joo got it. 19:36 < EugeneKay> !paste 19:36 <@vpnHelper> "paste" is https://gist.github.com 19:36 < EugeneKay> What the 19:36 < EugeneKay> !forget paste 19:36 <@vpnHelper> Joo got it. 19:36 < AlbinoGeek> !pastebin 19:36 <@vpnHelper> "pastebin" is please paste anything with more than 5 lines into pastebin or a similar website 19:36 < AlbinoGeek> ^ 19:37 < AlbinoGeek> That's why 19:37 < EugeneKay> Oh, that got fixed finally 19:37 < AlbinoGeek> "paste is pastebin" 19:37 < EugeneKay> Ya 19:37 < AlbinoGeek> !l 19:37 < EugeneKay> Now I get to try to remember how to do this 19:37 < AlbinoGeek> Okay good, it's not that wildcardy 19:37 < AlbinoGeek> !log 19:37 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:37 < EugeneKay> It's a very restricted bot :-p 19:37 < AlbinoGeek> -_- Too close to the name of a factoid there. 19:37 < AlbinoGeek> !logs 19:37 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5 or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 19:38 < AlbinoGeek> YUS Starting openvpn: [ OK ] 19:38 < EugeneKay> !learn pastebin as https://gist.github.com is a recommended place to use 19:38 <@vpnHelper> Joo got it. 19:38 < EugeneKay> !pastebin 19:38 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 19:38 < AlbinoGeek> !paste 19:38 < EugeneKay> !learn paste as @!pastebin 19:38 <@vpnHelper> Joo got it. 19:38 < EugeneKay> !paste 19:38 <@vpnHelper> "paste" is @!pastebin 19:38 < EugeneKay> Nope 19:38 < AlbinoGeek> Hahah 19:38 < EugeneKay> !forget paste 19:38 <@vpnHelper> Joo got it. 19:38 < AlbinoGeek> "pastebin" 19:39 < EugeneKay> !learn paste as pastebin 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !paste 19:39 <@vpnHelper> "paste" is pastebin 19:39 < AlbinoGeek> "pastebin" 19:39 < EugeneKay> Ohhh gotcha 19:39 < EugeneKay> !forget paste 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !learn paste as "pastebin" 19:39 <@vpnHelper> Joo got it. 19:39 < AlbinoGeek> !paste 19:39 < EugeneKay> !paste 19:39 <@vpnHelper> "paste" is pastebin 19:39 <@vpnHelper> "paste" is pastebin 19:39 < EugeneKay> Grrr 19:39 < AlbinoGeek> LOL angry bot is angry 19:39 < EugeneKay> !forget pastebin 19:39 <@vpnHelper> Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 19:39 < EugeneKay> Gah no 19:39 < EugeneKay> !forget paste 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !learn paste as [pastebin] 19:39 <@vpnHelper> Joo got it. 19:39 < EugeneKay> !paste 19:39 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 19:39 < AlbinoGeek> There we go 19:39 < EugeneKay> THERE we go. 19:40 < EugeneKay> Anyway 19:40 < AlbinoGeek> Test 19:40 < AlbinoGeek> Okay so 19:40 < EugeneKay> Back to the point, logs? 19:40 < AlbinoGeek> OpenVPN is now running 19:40 < AlbinoGeek> Client and server 19:40 < AlbinoGeek> Client is just spamming the & out of my screens 19:40 < AlbinoGeek> Finally sits at Initialization Sequence Completed 19:40 < AlbinoGeek> Okay so , flowchart time 19:40 < AlbinoGeek> 10.8.0.1 can be pinged. 19:41 < AlbinoGeek> Redirect-gateway is enabled. 19:41 < AlbinoGeek> 8.8.8.8 can be pinged. 19:41 < AlbinoGeek> Google.com can be pinged. 19:41 < EugeneKay> curl http://util.khresear.ch/myip?o=plain 19:41 < EugeneKay> (just my myip script) 19:41 < AlbinoGeek> http://secure-computing.net/ip.php shows my server's IP. 19:41 <@vpnHelper> Title: SCN: SCN (at secure-computing.net) 19:41 < EugeneKay> Everything sounds good, then 19:42 < AlbinoGeek> "it works" 19:42 < AlbinoGeek> Right, mastered Procedural Flowchart Analysis 101 19:42 < EugeneKay> So, what's the problem? 19:42 < AlbinoGeek> Now to try a real connection, voice control protocol; ICMP/IPX/TCP and UDP; bi-directional 19:42 < AlbinoGeek> brb while I try this... 19:43 < EugeneKay> Good luck 19:43 < AlbinoGeek> Literally 19:43 < ngharo> ipx, no. 19:43 < AlbinoGeek> Something tells me I'll need TAP and BRIDGED 19:43 < EugeneKay> !layer2 19:43 <@vpnHelper> "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn? or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better or (#3) protocols that use layer2 communicate by MAC address, not IP address 19:44 < EugeneKay> You nearly never need bridging 19:44 < AlbinoGeek> Oh wait a second, what the * is going on. 19:44 < AlbinoGeek> If I connect to the server's IP on anything, it uses my real connection instead of the VPN? 19:44 < EugeneKay> Yes 19:44 < AlbinoGeek> Is that just to prevent looping ? 19:44 < EugeneKay> Yup. 19:44 < AlbinoGeek> Okay so, I should be using 10.8.0.1 I guess? 19:44 < EugeneKay> Yup. 19:45 < ngharo> sure 19:46 < EugeneKay> Indeed 19:46 < AlbinoGeek> IPX is working in TUN... this doesn't make sense? 19:46 < EugeneKay> Between what? 19:46 < AlbinoGeek> Everything in your docs says "NO THIS WON'T WORK" 19:46 < AlbinoGeek> Between myself and the server, and between two clients on the same VPN. 19:46 < AlbinoGeek> (both using the server as a VPN *) 19:47 < EugeneKay> Don't confusing routed and bridged modes with tun vs tap devices 19:47 < EugeneKay> You can pass layer2 packets over a tap device running in routed mode 19:47 < AlbinoGeek> Well, it's tun and routed right now, and IPX is working. 19:48 < AlbinoGeek> Both client and server are practically using default configs, just with paths changed. 19:48 < EugeneKay> o.O 19:48 < ngharo> 0.o indeed 19:48 < AlbinoGeek> I will not complain! 19:48 < EugeneKay> I'm sure there's something going on 19:48 < EugeneKay> Maybe it's a 2.3.x thing 19:49 < EugeneKay> In any case, if it works, stop yer bitchin 19:49 < ngharo> sounds like a bug unfortunately if it does work 19:49 < AlbinoGeek> I had to enable ipv6 ipforward in sysctl to get things working, but that was common sense since it said to do it for ipv4 19:50 < AlbinoGeek> Is it possible to tunnel IPX though another protocol ? 19:50 < EugeneKay> Layer2 :-p 19:50 < AlbinoGeek> EugeneKay: Yes, but without Layer2? ie: abstractly 19:50 < AlbinoGeek> (just thinking out loud) ; kinda how "virtual ipv6" was for a while? 19:50 < AlbinoGeek> Otherwise I have 0 idea how this is working ,and won't complain. 19:51 < AlbinoGeek> . 19:51 < AlbinoGeek> ^whois 19:51 < AlbinoGeek> I am AcademyInt@academyintl/director/AcademyIntl 19:52 < AlbinoGeek> Does anyone see my hostname or anything else, or does FOSS cut that out? 19:52 < EugeneKay> Shows as that here too 19:52 < EugeneKay> Freenode's cloak cuts it out 19:52 < AlbinoGeek> Ahh, okay. I won't be able to check if IRC kicked over then. 19:52 < EugeneKay> If you /whois yourself it should say "is connection from" 19:52 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 19:52 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has quit [Client Quit] 19:53 < EugeneKay> connecting* 19:53 < AlbinoGeek> AlbinoGeek's info: is connecting from *@you.would.like.to.know 127.0.0.1 19:53 < EugeneKay> I can't spell tonight. Need more booze 19:53 < AlbinoGeek> I'm pretty sure my client removes that :x 19:53 < AlbinoGeek> This client is more skiddy than a real IRC client, so I'm not surprised it filters / randomly changes things. 19:54 < EugeneKay> Aha 19:54 < EugeneKay> HexChat shows it fine 19:54 < AlbinoGeek> EugeneKay: Ahh, so you know what a Skid is? :P 19:54 < EugeneKay> Nope 19:54 < AlbinoGeek> So, I can't use the same client keypair on another machine, can I? 19:54 < AlbinoGeek> What will happen if I do? 19:55 < EugeneKay> You can. If you connect, the default is to knock off any previously-connected clients(identified by IP+source port) using the same common-name 19:55 < EugeneKay> Look at --duplicate-cn 19:55 < AlbinoGeek> Well, username-as-cn is on, so that'd be a bad idea to try I guess. 19:56 < EugeneKay> Yeah 19:57 < AlbinoGeek> EugeneKay: Uhoh, it won't let me make more client keys. 19:57 < EugeneKay> o.O ? 19:57 < AlbinoGeek> That big "reset everything" error 19:57 < AlbinoGeek> EugeneKay: http://pastie.org/5722988 19:58 < EugeneKay> Oh 19:58 < EugeneKay> Just run 'source ./vars' 19:58 < AlbinoGeek> (because I've already built my dh ?) 19:58 < EugeneKay> All it's saying is that your current bash session doesn't have the right set of env vars defined 19:58 < AlbinoGeek> ./vars: No such file or directory 19:58 < AlbinoGeek> there's a "vars" file in the cd 19:58 < EugeneKay> Did you copy easy-rsa someplace? :-p 19:58 < EugeneKay> You should have a vars file 19:59 < AlbinoGeek> There is a vars file, I can see it in ls-lisa 19:59 < EugeneKay> That's the one you wanna source 19:59 < EugeneKay> It's just some basic stuff about your CA 19:59 < AlbinoGeek> NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys 19:59 < AlbinoGeek> Just a warning I guess? 19:59 < EugeneKay> So don't do that 19:59 < EugeneKay> Ya. The HOWTO says to do clean-all 19:59 < EugeneKay> If you're just adding a new keypair, DONT do that 19:59 < AlbinoGeek> Yeah, obvs :) 19:59 < EugeneKay> (another place the docs could use work) 20:00 < AlbinoGeek> I know what rm-rf does, unlike some Ubuntu people.... 20:00 < EugeneKay> Hehehe 20:00 < AlbinoGeek> Comitting.. and downloading. Nice. 20:00 < AlbinoGeek> Hopefully this works, if so then I'll be out of your hair. 20:01 < EugeneKay> You seem to know what you're talking about. A welcome respite 20:01 < EugeneKay> Feel free to stick around ;-) 20:01 < AlbinoGeek> How lively is this channel exactly, OpenVPN seems to have scared off many of its prospective users by being so cryptic in its setup instructions. 20:02 < AlbinoGeek> Myself included for a while. 20:02 < EugeneKay> We get a few people a day 20:02 < EugeneKay> Networking is not for the light-of-heart 20:02 < EugeneKay> !101 20:02 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 20:02 < EugeneKay> We're not scared to point to that ^ 20:03 < AlbinoGeek> Perhaps, but at least some documentation should be there :). I suppose I'll have to submit these changes. 20:04 < AlbinoGeek> I've chosen to head the docs I write in a sense of "howto" from your operating system and distro point of view, with all pathnames and commands on that page listed only for your selected distro and OS to prevent confusion. 20:04 < AlbinoGeek> I've finished CentOS 5 for client and server, now writing Windows 7 client/server docs. 20:04 < EugeneKay> !windows 20:04 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny 20:05 < AlbinoGeek> Both jpg links are dead. 20:05 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined #openvpn 20:05 * EugeneKay smacks ecrist 20:05 < AlbinoGeek> Needs more funny 20:06 -!- cyberspace- [20253@ninthfloor.org] has quit [Quit: leaving] 20:06 < AlbinoGeek> Interesting, 64bit OpenVPN windows does not run on Windows 7 64bit Enterprise 20:06 < AlbinoGeek> :/ 20:06 < AlbinoGeek> Architecture mismatch error. 20:06 < EugeneKay> There's a x64 build nowadays? 20:06 < EugeneKay> WOwza 20:06 < AlbinoGeek> Ehh, the 32bit works fine. 20:07 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 20:08 < AlbinoGeek> EugeneKay: And what were you talking about /30 earlier? I didn't do your topology thing (never got around to it) and my clients are being named sanely 20:08 < AlbinoGeek> .10 .11 .12 .13 so far. 20:08 < EugeneKay> o.O 20:08 < EugeneKay> !/30 20:08 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf 20:08 < EugeneKay> AFAIK they didn't change the default in 2.3 20:08 < EugeneKay> But I haven't used it, so. 20:08 < AlbinoGeek> I don't think they have. 20:09 < AlbinoGeek> Mind you some machines have ipv4 disabled, not entirely sure why they are still being assigned an ipv4 address. 20:09 < AlbinoGeek> Nevermind, ipv4 disabled on the physical NIC, not the virtual tuns. 20:09 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [] 20:10 <+rob0> Hmmm. "OpenVPN seems to have scared off many of its prospective users," well no, I have not seen evidence of that; "by being so cryptic in its setup instructions." No, this is not so. The HOWTO and manual and mini-howto docs are excellent. 20:12 < AlbinoGeek> rob0: Ehh, when the second step tells you about routed / bridged ; that's enough to scare off most. 20:12 <+rob0> It simply means you need to learn more about basic networking before you step into advanced networking. 20:56 -!- p47 [~Marcos1@189.232.114.214] has joined #openvpn 21:01 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 21:01 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 21:05 -!- p47 [~Marcos1@189.232.114.214] has quit [Quit: Saliendo] 21:34 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 260 seconds] 21:34 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 22:00 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn 22:07 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Ping timeout: 252 seconds] 22:13 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 23:17 -!- brute11k1 [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 23:23 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 23:24 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Ping timeout: 256 seconds] 23:29 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 23:30 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Excess Flood] 23:31 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 23:34 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 23:34 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 248 seconds] 23:35 <@novaflash> rob0; i had a guy asking me to teamviewer with him - 10 times before i kicked him - to set up a vpn server for him... but the guy didn't even know what a subdomain was. 23:55 -!- zeeshoem is now known as mnathani --- Day changed Sat Jan 19 2013 00:43 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection] 00:45 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn 01:28 -!- djc [~djc@gentoo/developer/djc] has joined #openvpn 01:28 < djc> do people here know about the iOS app, or should I sent email? 01:28 < djc> my route-gateway stuff doesn't seem to work on my iPad 01:29 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [] 01:29 < djc> i.e. 'push "route 10.33.3.0 255.255.255.0"' on the server 01:30 < djc> but when I try to go to 10.33.3.12 in the browser, it can't find it 01:46 -!- kunji [~kunji@c-68-60-83-138.hsd1.mi.comcast.net] has left #openvpn [] 01:53 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has joined #openvpn 01:54 -!- mattock is now known as mattock_afk 01:59 < AlbinoGeek> !layer2 01:59 <@vpnHelper> "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn? or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better or (#3) protocols that use layer2 communicate by MAC address, not IP address 02:00 < djc> well, I'm not using tap, and I know a bit of routing 02:00 < djc> so that's not very helpful 02:10 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 02:21 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Ping timeout: 245 seconds] 02:38 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 02:52 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 245 seconds] 02:56 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has joined #openvpn 03:03 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 03:15 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 276 seconds] 03:26 < AlbinoGeek> djc: Sorry, I was trying to find something myself. 03:26 -!- novaflash_away [~novaflash@vpnserver1.jellemaautomatisering.nl] has joined #openvpn 03:26 -!- novaflash_away is now known as novaflash 03:32 -!- novaflash [~novaflash@vpnserver1.jellemaautomatisering.nl] has quit [Changing host] 03:32 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn 03:32 -!- mode/#openvpn [+o novaflash] by ChanServ 03:38 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 03:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:38 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 03:38 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 03:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:47 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 04:07 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 04:07 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 04:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:08 -!- dydzEz2 [dydzEz2@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 04:11 -!- swat [~swat@ubuntu/member/swat] has quit [Quit: Leaving.] 04:17 < EugeneKay> djc - not a clue about iOS. Sorry. 04:55 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Ping timeout: 245 seconds] 05:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 05:28 -!- mode/#openvpn [+v s7r] by ChanServ 05:39 -!- eutheria [~euther0a@cpc2-cmbg15-2-0-cust990.5-4.cable.virginmedia.com] has joined #openvpn 05:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:44 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:49 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 05:51 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 05:53 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 255 seconds] 06:04 -!- Thermi_ [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Quit: ZNC - http://znc.in] 06:10 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 06:37 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 06:48 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has joined #openvpn 07:00 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has quit [Remote host closed the connection] 07:05 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 255 seconds] 07:05 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has joined #openvpn 07:05 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 07:10 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 07:16 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has left #openvpn [] 07:17 < Freeaqingme> With 2.2, can I use a tunnel (tun, no tap) that is set up over ipv4, and which tunnels ipv6 traffic? 07:19 < Wulf> Freeaqingme: probably 07:20 < Wulf> I never tried but I'd be really surprised if it does not work 07:20 < Freeaqingme> well, there's this: http://openvpn.net/index.php/open-source/faq/77-server/287-is-ipv6-support-plannedin-the-works.html 07:20 <@vpnHelper> Title: Is IPv6 support planned/in the works? (at openvpn.net) 07:21 < Freeaqingme> so if it is supported, it is really recently. But I'm not sure if the article implies if the limitations apply to <2.2rc2, or that they also apply to 2.2 07:21 < Wulf> oh. 07:22 < Wulf> then go and use 2.3; it was released not long ago 07:22 < Freeaqingme> I'm seeing that just now! if I can find an ubuntu package.. 07:23 < Wulf> make your own 07:24 < Freeaqingme> Wulf, got it ;) http://repos.openvpn.net/repos/apt/conf/repos.openvpn.net-precise-snapshots.txt 07:26 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 07:33 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 256 seconds] 07:39 -!- nucleo [nucleo@fedora/nucleo] has joined #openvpn 07:40 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn 08:37 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 08:38 < plaisthos> Freeaqingme: no 2.2 does not that 08:38 < plaisthos> Freeaqingme: the ubuntu packages includes the ipv6 patches 08:38 < plaisthos> so should work we as well 08:51 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Ping timeout: 244 seconds] 09:03 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has joined #openvpn 09:04 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has joined #openvpn 09:08 -!- JackWinter2 [~jack@vodsl-4655.vo.lu] has quit [Client Quit] 09:22 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 09:22 < Qianyi> hi 09:22 < Qianyi> can't visit openvpn.net, could anyone please provide another link to download the newest beta for windows of openvpn? 09:22 < Qianyi> :) 09:34 -!- mattock_afk is now known as mattock 09:39 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn 09:40 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 256 seconds] 09:42 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 10:00 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:00 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Client Quit] 10:04 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Read error: Connection reset by peer] 10:04 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 10:07 <+rob0> beta? There is no beta at this time. 2.3 is the current release. 10:07 -!- eutheria [~euther0a@cpc2-cmbg15-2-0-cust990.5-4.cable.virginmedia.com] has quit [Remote host closed the connection] 10:09 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:18 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 10:18 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Quit: Leaving] 10:19 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 10:23 -!- master_of_master [~master_of@p57B53191.dip.t-dialin.net] has quit [Ping timeout: 244 seconds] 10:24 -!- master_of_master [~master_of@p57B53F05.dip.t-dialin.net] has joined #openvpn 10:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 244 seconds] 10:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 10:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:43 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 10:52 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 10:55 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 10:56 -!- djc [~djc@gentoo/developer/djc] has left #openvpn [] 10:57 < Qianyi> rob0, i mean 2.3 rc2 10:57 < Freeaqingme> Wulf, vpnHelper There's one remark though: Options error: --server-ipv6 settings: only /64../112 supported right now (not /122) 10:57 < Qianyi> would anyone have a mirror or link? 10:58 <+rob0> Qianyi, you should use the final release version, not rc2. 10:59 <+rob0> sorry, I do not know of alternate download sites, if Google can't find them. 11:00 < Qianyi> np thanks 11:03 -!- b1rkh0ff [~b1rkh0ff@178.77.1.28] has joined #openvpn 11:19 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 244 seconds] 11:25 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 11:26 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 11:29 < Freeaqingme> Is there any obvious reason ifconfig-ipv6-pool only supports /64 pools ? 11:33 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:41 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 11:42 < nucl3ar> !welcome 11:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:45 < nucl3ar> anybody familiar of issues concerning openvpn killing bandwidth *after* it's shutdown? 11:48 < nucl3ar> example: (#1) speed test using wget avg roughly 2.5-3 mb/s without openvpn (#2) connect through openvpn use wget again, roughly 1.0 mb/s (#3) kill openvpn (ctrl+c) run wget speedtest for last time.. this time 70 kb/s (dies intermittently). 11:50 -!- Martin` [martin@2001:16f8:2:10::215] has joined #openvpn 11:50 < Martin`> Hello world! 12:04 < Martin`> When I want to connect my ipad to openvpn, do I have to change my server config? my server is configed with tap devices (I bridged the devices). I see the ios client does not support tap. is this a problem? or can client be tun, and server tap? 12:04 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 12:07 < dioz> interesting 12:08 < dioz> there is ios support now 12:09 < dioz> check the apple store 12:09 < dioz> !ios 12:09 < dioz> !apple 12:09 < dioz> lemme scroll back a second 12:09 < Martin`> I know, downloaded the app,but I read there is no tap support in ios 12:09 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Remote host closed the connection] 12:10 < dioz> oooh i see what you're saying 12:13 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Ping timeout: 245 seconds] 12:27 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has joined #openvpn 12:35 -!- hazardous [~dbn@openvpn/user/hazardous] has quit [Read error: Connection reset by peer] 12:42 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:44 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:47 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:51 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 12:53 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 12:53 -!- _br_- is now known as _br_ 12:58 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:01 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:03 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:05 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:08 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:11 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:13 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:14 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:18 -!- Valcorb [~Valcorb@74.115.1.243] has joined #openvpn 13:19 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:20 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:24 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:28 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:29 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:31 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:35 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:38 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:40 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:41 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:45 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:47 -!- Valcorb [~Valcorb@74.115.1.243] has quit [Ping timeout: 246 seconds] 13:47 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:50 -!- p47 [~Marcos1@189.144.65.247] has joined #openvpn 13:50 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:50 < p47> When I connect to the vpn I can acces to my server but My computer just get disconnect to internet. any idea? 13:54 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 13:55 -!- Castor__ [~hi@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 13:55 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 13:56 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 13:58 -!- Castor__ [~hi@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 13:58 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 13:58 -!- p47 [~Marcos1@189.144.65.247] has quit [Quit: Saliendo] 13:59 -!- p47 [~Marcos1@189.144.65.247] has joined #openvpn 14:00 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:01 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:01 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi] 14:03 -!- p47 [~Marcos1@189.144.65.247] has quit [Client Quit] 14:03 -!- p47 [~Marcos1@189.144.65.247] has joined #openvpn 14:03 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:06 -!- emmanuelux [~emmanuelu@vpn7.freedom-ip.com] has quit [Ping timeout: 248 seconds] 14:06 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:09 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:10 -!- Porkepix [~Porkepix@lns-bzn-20-82-64-31-107.adsl.proxad.net] has quit [Ping timeout: 252 seconds] 14:11 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:13 -!- Porkepix [~Porkepix@lns-bzn-45-82-65-137-188.adsl.proxad.net] has joined #openvpn 14:15 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Read error: Connection reset by peer] 14:16 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!] 14:16 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 14:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:19 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:22 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:22 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:23 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 256 seconds] 14:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:27 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 14:27 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:28 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 14:30 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:32 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn 14:32 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:34 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:38 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:39 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:41 < Martin`> p47: do you want to have internet via vpn? 14:42 <+pekster> Sounds to me like a case of redirect-gateway being pushed but not functioning (maybe the server doesn't forward the traffic properly?) 14:43 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:44 < p47> Martin`, solved 14:44 < p47> thank you 14:45 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:47 < Martin`> your welcome 14:47 < Martin`> now I'm going to solve my problems 14:47 < Martin`> want to connect a ios device. but need a tun instead of tap for that 14:47 < p47> Martin`, LOL 14:47 <+pekster> Why use tap in the first place? 14:47 < Martin`> gues routing is the only way :( 14:47 <+pekster> !tunortap 14:47 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. or (#2) and if your reason for wanting tap is windows shares, see !wins or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you 14:47 <@vpnHelper> over the vpn or (#4) lan gaming? use tap! 14:48 < p47> Martin`, I would like to help you but I can not I'm a noob 14:48 < Martin`> hmm 14:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:48 < EugeneKay> Martin`, you can use a tap device in routed mode just fine. 14:49 < Martin`> pekster: I run the vpn on different ports. over http proxy needed on port 442 14:49 < Martin`> 443 14:49 < Martin`> so I bridge multible vpn's 14:49 < Martin`> port 443 with redirect gateway 14:49 <+pekster> Oh. I just use separate ranges and route them internally when I need to do that 14:50 <+pekster> eg: if you have 10.8.0.0/24 as your VPN range, give 1 VPN 10.8.0.0/25 and another 10.8.0.128/25, and connect them together in the server/firewall if you want clients to talk to each other 14:50 < Martin`> I believe you can not bridge a tun 14:50 <+pekster> I'm talking about routing them, not bridging them 14:50 <+pekster> Notice how I split the /24 into two /25's 14:50 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:50 < Martin`> ok 14:50 <+pekster> I mean, you can bridge 2 taps like you're doing too, but if the only reason is to "connect" both VPNs, I think it's a bad solution 14:51 < EugeneKay> Bridging bridges is not a sound structural decision 14:52 < Martin`> ok, but I'm not changing the setup right now, so I add one with tun I guess :P 14:52 <+pekster> YOu can always make the 2nd one a tun/routed configuration later when you can handle the downtime/setup-time 14:52 < Martin`> setup time is the big issue :P 14:53 <+pekster> As long as the server has ip-forwarding enabled and the firewall permits it, you can have as many VPNs communicating with other VPNs as you want 14:53 < Martin`> need to config multible things 14:53 < Martin`> the server has his own public ip so not a problem 14:53 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 14:54 <+pekster> With NAT/port-forwarding, it doesn't really matter. My home VPN server (currently running 3 VPNs, and soon to be a couple more) works fine behind my NAT box 14:55 < Martin`> :) 14:55 <+pekster> OpenVPN is very "NAT-friendly" since all traffic goes over a single port 14:55 < Martin`> thats why I like it :) 14:56 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 14:58 -!- p47 [~Marcos1@189.144.65.247] has quit [Quit: Saliendo] 14:59 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:02 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:05 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:08 < Martin`> pekster: but it is always better to get tun and routing? 15:08 <+pekster> Martin`: Unless you need tap (as the bot's output told you earlier) yes 15:09 <+pekster> If you're not doing weird stuff like multicast broadcasts or Ethernet broadcast protocols, you don't need tap for your setup 15:09 <+pekster> If you don't know what any of that is, you don't need tap 15:09 < Freeaqingme> or ipv6 with a subnet smaller than /112 15:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:09 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [Read error: Connection reset by peer] 15:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:09 <+pekster> Any ISP giving you less than a /64 needs to be shot 15:10 < Martin`> I can use a /48 15:10 < Freeaqingme> pekster, for a mere vps? 15:10 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 15:10 < Martin`> that is next step I wanna do. add ipv6 support 15:10 < Martin`> not sure if my openvpn version does support it 15:10 <+pekster> Freeaqingme: Sure, why not. IPv6 space is huge. Maybe a customer has to officially "request" it, but there's no reason to fail to give customers at the very leat a /64 if they're paying for IPv6 access 15:10 < Freeaqingme> Martin`, 2.3.0 supports anything up to /112, although it's easiest with a /64 15:12 < Freeaqingme> pekster, true 15:12 < Martin`> OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010 15:12 < Martin`> really need to upgrade 15:12 <+pekster> The recommendation for ISPs is to give residential customers at *least* a /64, and a /56 is suggested 15:13 < Martin`> I hope my home isp will give me a /64 15:13 <+pekster> If a hosting provider can't do that for a paying customer, I'd shop elsewhere 15:13 < Martin`> true, a /48 was not expensive for me 15:13 < Freeaqingme> pekster, I know. My default isp gives out 1 /48 per connection. But in case of a single machine (not a network, normally), a /112 is pretty big normally 15:14 <+pekster> Even a /56, that gives you 2^8, or 256 possible /64's. I can't imagine a home user needing more than that 15:14 < Martin`> I give every customer of me a /64 15:14 < Martin`> (vps) 15:14 < Martin`> and they can add ip's of the range to thier vpsses 15:14 <+pekster> Yea. That's 65536 /64's. Subtract a few-dozen for whatever backend stuff you need if you're large, and that's still a lot of customers you can support 15:15 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:15 <+pekster> If you have more customers than that, you need a larger allocation and can easily justify it to upstream 15:15 < Martin`> I'm only a littlebit sad that they configured ipv6 as a full /48 subnet 15:15 -!- b1rkh0ff [~b1rkh0ff@178.77.1.28] has quit [Quit: Leaving] 15:15 -!- Castor_ [Castor_@CPE-72-133-200-232.wi.res.rr.com] has quit [Ping timeout: 252 seconds] 15:16 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has joined #openvpn 15:16 < Freeaqingme> Martin`, but besides that. Ideally openvpn would support smaller subnets as well. What I found in commit messages, the only reason not to do so /yet/ is that with ipv6 currently only RA seems supported 15:16 <+pekster> A /112 isn't small enough? 15:17 < Freeaqingme> for 2 hosts, a /127 should be enough ;) 15:17 <+pekster> Well, IPv6 is *huge* 15:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:17 <+pekster> If you have even a "small" /64 as a residential customer, you can support this many /112 VPN: 72057594037927936 15:17 <+pekster> That's a number so large I don't even really understand how big it is 15:17 < Freeaqingme> pekster, I know 15:17 <+pekster> The age of /30's is over. use PtP if you want to do stuff like that 15:20 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:22 -!- Castor_ [~hi@CPE-72-133-200-232.wi.res.rr.com] has quit [Ping timeout: 244 seconds] 15:22 < Martin`> hmm strange, connection works great (on osx) but when I disconnect I get a lot errors 15:23 < Martin`> Sat Jan 19 21:30:16 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 15:23 < Martin`> on server 15:23 <+pekster> That's normal, because the peer is returning 'ICMP port unreachable' 15:23 < Martin`> ok 15:23 <+pekster> Use 'explicit-exit-notify 2' or such on the client side if you don't like that 15:24 < Martin`> ah then he tells that he is leaving 15:24 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 245 seconds] 15:24 <+pekster> Yea. Withtout that, a peer has no indication the connection is "down" until a timeout occurs 15:24 <+pekster> (same as if the PC crashed or the Internet link went down) 15:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:27 < MorgyN> spunk smurf 15:28 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:30 < Martin`> SIGTERM[soft,remote-exit] received, client-instance exiting 15:30 < Martin`> much better 15:30 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 15:30 < Martin`> now try to use it on ios 15:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:33 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:36 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:36 < Martin`> days of work with some other vpn server to get it run on ios 15:36 < Martin`> now it just works easy with openvpn :D 15:36 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:40 < Martin`> now I can route some traffic via home so I can watch tv on my ipad :P 15:41 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:44 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 15:45 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:46 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:47 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 15:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:51 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:52 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:57 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 15:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 15:59 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 16:02 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 16:02 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:03 < Qianyi> anyone have a mirror for openvpn 2.3rc2? 16:03 < Qianyi> cant visit offical download site 16:03 <+pekster> Qianyi: I can dump it on my personal webhost; do you really want 2.3rc2 and not 2.3.0 final? 16:03 <+rob0> I mentioned that earlier. 16:04 <+pekster> Yea, I noticed; I wasn't quite online then 16:04 < Qianyi> rob0, that is the version i would like to use, it is stable 16:04 <+pekster> Qianyi: By nature of a "release candidate" it is *LESS* stable than the final 2.3.0 release 16:04 < Qianyi> used it in the past but have new ssd without it 16:04 <+pekster> Qianyi: If you don't understand this, you probably want 2.3.0 16:05 <+pekster> (That said, there's hardly any difference beween 2.3rc2 and 2.3.0 anyway) 16:05 < Qianyi> i know rc stands for release candidate 16:05 < Qianyi> its just the version i would like to use 16:05 -!- JackWinter [~jack@vodsl-4655.vo.lu] has left #openvpn ["Konversation terminated!"] 16:06 * pekster shrugs. Whatever you want, really; I'm just making sure you really want it before I go through the trouble of mirroring it for you. What platform? (and if Windows, 32 vs 64 bit?) 16:06 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:06 < Qianyi> pekster, thanks! 16:07 < Qianyi> windows 7 64 16:07 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:07 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 16:09 < Valcorb> hey guys, i have a question 16:09 < Valcorb> i have a Debian server 16:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:09 < Valcorb> with openvpn server installed 16:09 < Valcorb> i've configured it completly 16:09 < Valcorb> and im able to connect 16:09 < Valcorb> but i can't browse 16:09 < Valcorb> or anything 16:09 < Valcorb> just says 'not found' 16:09 < Valcorb> anyone knows where it could be? 16:10 <+pekster> Valcorb: If you're using "Access Server" that's not supported here. The open-ssource openvpn package has no "server" version 16:10 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out] 16:10 <+pekster> !as 16:10 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server 16:10 < Valcorb> nono 16:10 < Valcorb> Community 16:10 <+pekster> Are you using redirect-gateway? 16:10 <+pekster> Qianyi: http://pekster.sdf.org/misc/ovpn-2.3rc2/ 16:10 <@vpnHelper> Title: Index of /misc/ovpn-2.3rc2 (at pekster.sdf.org) 16:10 < Valcorb> hmm 16:10 < Valcorb> i think so 16:11 <+pekster> I've included the GPG sig too, just in case you don't trust me (if you're security-concious you should validate it even if you do trust me since it's not a secured link) 16:11 < Valcorb> i should be using it 16:12 < Valcorb> i'll check the cong 16:12 < Valcorb> *conf 16:12 <+pekster> Valcorb: Well, not if you don't want it. It sounds a bit to me like you're redirecting your default gateway with that parameter and can't access resources after you connect due to a misconfiguration 16:12 <+pekster> !redirect 16:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:12 <@vpnHelper> http://ircpimps.org/redirect.png 16:12 < Valcorb> hmm 16:12 < Valcorb> sec 16:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:13 < Valcorb> ah yes i am 16:13 < Valcorb> so I should just uncomment it? 16:13 < Valcorb> *comment 16:13 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:13 <+pekster> Do you want to be redirect all client Internet access through the VPN? 16:14 <+pekster> Don't use that directive unless you want what it does (that applies to all the directives, really) 16:14 < Valcorb> hmm 16:14 < Valcorb> i guess not 16:14 < Qianyi> pekster, much appreciate, got it 16:14 <+pekster> Qianyi: np 16:15 -!- Cpot-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 16:16 -!- Cpot-Oblivious is now known as Cpt-Oblivious 16:16 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Quit: Leaving] 16:18 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:19 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds] 16:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:21 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Ping timeout: 245 seconds] 16:22 -!- EugeneKay [eugene@itvends.com] has quit [Ping timeout: 245 seconds] 16:22 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds] 16:22 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Ping timeout: 245 seconds] 16:22 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds] 16:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:23 -!- EugeneKay [eugene@itvends.com] has joined #openvpn 16:23 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn 16:23 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 276 seconds] 16:24 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn 16:24 < Valcorb> pekster: i'll try later, having some vps issues 16:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 16:25 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 16:25 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 16:26 -!- ducblangis [~Ducblangi@24-117-207-111.cpe.cableone.net] has quit [Quit: WeeChat 0.3.0] 16:26 < Valcorb> thanks tho 16:28 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 16:29 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:29 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 16:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:30 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 16:30 -!- mode/#openvpn [+o dazo_afk] by ChanServ 16:30 -!- dazo_afk is now known as dazo 16:33 -!- dxtr [~dxtr@unaffiliated/dxtr] has joined #openvpn 16:33 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:33 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 16:36 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:39 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:41 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:44 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:44 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:48 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:49 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:52 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 16:52 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Client Quit] 16:53 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:54 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 16:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 16:58 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds] 17:00 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:03 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:04 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn 17:05 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:10 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:14 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 17:15 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:16 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:23 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:26 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:27 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 17:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:31 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:35 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:36 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:39 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:42 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:42 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:47 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:57 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 17:58 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 17:58 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 18:03 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has joined #openvpn 18:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 18:07 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 18:21 -!- Fritzah [u291187@ool-44c4f941.dyn.optonline.net] has quit [Remote host closed the connection] 18:41 < Valcorb> hey another question 18:42 < Valcorb> im using user/pass verification 18:42 < Valcorb> but it keeps asking for my user/pass every hour 18:42 < Valcorb> a way to prevent that? 18:52 -!- d12fk [~heiko@exit0.net] has quit [Quit: ZNC - http://znc.sourceforge.net] 18:53 -!- AndChat330644 [~AndChat33@c-24-126-51-244.hsd1.md.comcast.net] has joined #openvpn 18:54 < AndChat330644> My openvpn has been working on Android and suddenly I get the error message. P:OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 18:56 <+pekster> Valcorb: See --auth-nocache option which I suspect you're using without realizing what it does 18:56 <+pekster> Valcorb: You might also be accepting credentials in a way that's unavailable during re-keying/re-auth, in which case you'd need to explain your setup better 18:57 < Valcorb> is it a client issue? 18:57 <+pekster> Yes 18:57 <+pekster> AndChat330644: Pretty explicit error message. Either push the required gateway value from the server or fix the way you call the 'route' directive to include that gateway client-side 18:57 < Valcorb> yes i'm using auth-nocache 18:57 < Valcorb> should i remove it? 18:58 <+pekster> Valcorb: Why don't you look it up in the manpage and decide if you want it. The description says very specifically what it does 18:58 < Valcorb> aight 18:58 < Valcorb> thanks 18:58 <+pekster> I'm happy to answer questions after you've read the documentation, but it's bad form to come on IRC, get a reference for your problem, and then ask another question before you've read it 19:04 < AndChat330644> I have always pushed a route from server. No change in configuration. After latest application update i get this error. 19:04 < AndChat330644> On client side route is called this way. Route 0.0.0.0 0.0.0.0 19:06 <+pekster> AndChat330644: That only works if the server is pushing the 'route-gateway' value 19:06 <+pekster> Otherwise you'd need to specify the gateway client-side either explicitly as a 3rd parameter to the 'route' directive, or via a separate 'route-gateway' directive (the client can define that too if you're unable or unwilling to push it server-side) 19:11 < dioz> pekster: idk if it's me or what the problem is. 2.1.3 i couldn't get dev-node to change to Local Area Connection 2 19:11 < dioz> error would always say "mytap" so i had to change the name in windows 19:11 < dioz> i thought it was weird 19:11 < dioz> idk if you even remember talking to me ;] i see you here a lot 19:12 < AndChat330644> +pekster now it's complaining about ipv6 gw 19:13 < AndChat330644> thanks for the tips though I now know where to look 19:18 < AndChat330644> http://db.tt/Ttul4PIK 19:18 <@vpnHelper> Title: Dropbox - picsay-1358644668.jpg - Simplify your life (at db.tt) 19:20 < AndChat330644> Screen shot of my config 19:20 <+rob0> screen shot? 19:25 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Ping timeout: 240 seconds] 19:28 < AndChat330644> Lol ro 19:28 < AndChat330644> Auto correct +rob0 19:34 < AndChat330644> Do you happen to know how to ignore --ifconfig-ipv6.. 19:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving.] 20:12 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 20:22 -!- AndChat330644 [~AndChat33@c-24-126-51-244.hsd1.md.comcast.net] has quit [Quit: Bye] 21:00 -!- thumbs is now known as httpd 21:00 -!- httpd is now known as thumbs 21:07 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Excess Flood] 21:11 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has joined #openvpn 21:16 <+pekster> dioz: Use 'openvpn.exe --show-adapters' to get both the display strings and the CLSID of valid TAP adapters on your system 21:16 <+pekster> You may use either the display name or the CLSID as you prefer 21:23 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Quit: emmanuelux] 21:39 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood] 21:41 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 21:58 < dioz> pekster: i tried using the GUID listed in the --show adapters output too 21:58 < dioz> ooor whatever it's called 22:06 -!- nucleo [nucleo@fedora/nucleo] has quit [Quit: just make this person in IRC be quiet http://goo.gl/4RGta] 22:07 <+pekster> dioz: Works fine for me under 2.3.0, and I know I've used it before too 22:07 <+pekster> 'dev-node {0A1B2C3D...}' 22:07 <+pekster> Copy & paste the CLSID output, including the brackets 22:08 <+pekster> dioz: Your log output should show you the deivce name and CLSID too on a line that beigns with: TAP-WIN32 device [Display Name Here] opened: \\.\Global\{CLSID_GOES_HERE}.tap 22:28 -!- Assid [~kvirc@unaffiliated/assid] has joined #openvpn 22:56 -!- Assid [~kvirc@unaffiliated/assid] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 23:22 -!- hazardous [~dbn@openvpn/user/hazardous] has joined #openvpn 23:22 -!- mode/#openvpn [+v hazardous] by ChanServ 23:31 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Remote host closed the connection] 23:31 -!- nutcase [~nutcase@unaffiliated/nutcase] has quit [Remote host closed the connection] 23:31 -!- bandroidx [~bandroidx@2607:f358:1:fed5:4:0:414:11] has quit [Remote host closed the connection] 23:36 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 23:59 -!- CrashTM [~CrashTM@69.162.93.219] has joined #openvpn --- Day changed Sun Jan 20 2013 00:00 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 248 seconds] 00:06 -!- mnathani [~zee@198-84-231-11.cpe.teksavvy.com] has joined #openvpn 00:07 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 276 seconds] 00:09 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 00:12 -!- CrashTM [~CrashTM@69.162.93.219] has quit [Remote host closed the connection] 00:14 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn 00:17 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has joined #openvpn 00:24 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 00:32 -!- bigmeow [~mirror@184.82.217.174] has quit [Ping timeout: 276 seconds] 00:34 -!- bigmeow [~mirror@184.82.217.174] has joined #openvpn 00:48 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 00:49 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 00:49 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 01:35 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Ping timeout: 256 seconds] 01:41 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [] 02:09 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:09 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:10 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:10 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:12 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:12 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:13 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:13 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:14 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:14 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:17 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Excess Flood] 02:18 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 02:51 -!- Qianyi [~Qianyi@180.155.14.35] has joined #openvpn 03:44 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn 03:50 -!- DaIRC49957 [Wintereise@113.11.122.231] has joined #openvpn 03:50 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Disconnected by services] 03:50 -!- DaIRC49957 is now known as Wintereise 03:50 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 03:50 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 03:54 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 04:13 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Read error: Connection reset by peer] 04:25 -!- catsup [~d@64.111.123.163] has quit [Remote host closed the connection] 04:46 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 04:46 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 04:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:50 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 04:58 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 05:05 -!- tyteen4a03 [T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 05:07 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out] 05:13 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 05:23 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 05:23 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 05:23 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:24 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has joined #openvpn 05:25 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has quit [Remote host closed the connection] 05:32 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net] 05:35 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn 05:48 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 05:51 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Ping timeout: 260 seconds] 05:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:00 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has joined #openvpn 06:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds] 06:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:12 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has joined #openvpn 06:43 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 06:52 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 06:56 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:12 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:15 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:17 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:19 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:22 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:22 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 07:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:27 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:32 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:32 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:35 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:38 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:40 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:43 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:46 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:46 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn 07:48 -!- _br_- [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:49 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:53 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 07:57 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 07:59 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:00 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving] 08:02 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:03 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 08:04 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:07 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:09 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:11 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:14 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:16 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:20 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:21 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:21 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 08:25 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:27 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has joined #openvpn 08:29 -!- mode/#openvpn [+b *!*@static.88-198-57-152.clients.your-server.de] by ecrist 08:30 -!- _br_ [~bjoern_fr@static.88-198-57-152.clients.your-server.de] has quit [Excess Flood] 08:34 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Operation timed out] 08:36 -!- Freeaqingme [~Freeaqing@91.214.168.110] has quit [Quit: ZNC - http://znc.in] 08:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn 09:03 -!- b1rkh0ff [~b1rkh0ff@46.36.160.201] has quit [Quit: Leaving] 09:25 -!- Mcloven_ [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 09:27 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has joined #openvpn 09:56 -!- lipi [~lipi@69.204.223.87.dynamic.jazztel.es] has joined #openvpn 09:57 < lipi> hello, I would like to create a wizard that includes my certs by default, how can I do this? 09:57 < lipi> and to sets openvpn with service mode and autoconnect at windows startup 10:00 -!- b1rkh0ff [~b1rkh0ff@178.77.21.223] has joined #openvpn 10:06 < lipi> on the other hand, do you think is a very bad practice to give some clients the same certs? 10:06 < lipi> for example, I have an office with 4 static PCs always connected to my VPN.. so in order to minimize deployment costs I manage only 1 cert for these 4 hosts... 10:22 -!- master_of_master [~master_of@p57B53F05.dip.t-dialin.net] has quit [Ping timeout: 246 seconds] 10:24 -!- master_of_master [~master_of@p57B52132.dip.t-dialin.net] has joined #openvpn 10:31 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 10:53 -!- Guest15941 [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 10:53 -!- Guest15941 [~Cpt-Obliv@a202101.upc-a.chello.nl] has left #openvpn [] 10:53 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has joined #openvpn 10:54 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 10:54 < Cubox> !routing 10:54 < Cubox> !linrouting 10:54 < Cubox> ._. 10:54 < Cubox> !welcome 10:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:55 < Cubox> !linredirect 10:55 < Cubox> !redirect 10:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:55 <@vpnHelper> http://ircpimps.org/redirect.png 10:55 < Cubox> !ipforward 10:55 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 10:55 < Cubox> !linipforward 10:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 11:02 < Cubox> Guess what, I can't route traffic. Using Arch, ufw. openvpn server and client can ping. Have this rule in iptables -t nat -S -A POSTROUTING -s 10.8.0.2/32 -o enp1s0:1 -j MASQUERADE 11:02 -!- Orbi [~opera@anon-149-217.vpn.ipredator.se] has joined #openvpn 11:07 < Cubox> enp1s0:1 is working 11:07 -!- lololojfegdiufhg [~root@thunderaan.cubox.me] has joined #openvpn 11:12 < Cubox> I have the /proc/sys rule for ip forwarding too. 11:17 <+pekster> lipi: You can write your own installation wrapper using NSIS or similar 11:18 <+pekster> lipi: As far as re-use of certs, it's allowed (as long as your server is configured to allow >1 connection from the same CN) but can cause problems if you ever need to revoke the cert of just 1 of the user's or systems, or if you need to identify which user was using a specific IP 11:19 <+pekster> Cubox: What are you trying to do at a high level with openvpn? Redirect all traffic from a client? 11:20 < Cubox> Yep 11:20 < lololojfegdiufhg> redirect-gateway def1 too 11:20 < Cubox> I have push 11:20 < Cubox> Oops 11:20 < Cubox> I have push redirect-gateway def1 on config. 11:20 <+pekster> Cubox: Did you see the flowchart linked in the !redirect output? Follow that and feel free to ask if you get stuck 11:20 <+pekster> It helps guide you through all the steps required for that to work 11:21 < Cubox> firewall issue :P 11:22 <+pekster> Can you pastebin the output of 'iptables-save' ? 11:23 <+pekster> Labeling your interfaces before the output would be helpful too so I know what the uplink and tun devices are 11:23 < Cubox> iptables-save don't give anything... 11:23 <+pekster> It requires root access (like any netfilter command) 11:23 < Cubox> forgot this 11:23 < Cubox> pekster: gg 11:24 < Cubox> http://alduin.cubox.me/files/dump 11:24 < Cubox> you can add .txt if any 11:25 <+pekster> No need, although the MIME type from your server treats it as a binary stream 11:25 <+pekster> Oh, adding .txt to the URI gets your server to do the right thing 11:25 < Cubox> :) 11:26 < Cubox> pasting you ip addr 11:26 <+pekster> enp1s0:1 is your WAN/internet interface? 11:26 < Cubox> http://paste.placeholder.fr/show/172/ 11:26 <+pekster> Ah, nvm, that explains it too :) 11:26 < Cubox> Yes 11:27 <+pekster> You should MASQUERADE the entire VPN network, not just that single host 11:27 < Cubox> I know, Just for migrating server 11:27 <+pekster> huh? 11:27 < Cubox> I need this computer to be linked first 11:27 < Cubox> This computer have his own ip address 11:28 <+pekster> Is the client actually using 10.8.0.2? 11:28 < Cubox> and the others computers will have the enp1s0 ip address 11:28 < Cubox> pekster: yes 11:28 < Cubox> pekster: I can ping it. 11:28 <+pekster> k 11:29 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 11:30 <+pekster> Looks like your FORWARD chain doesn't allow the traffic 11:31 < Cubox> Forward ... 11:31 <+pekster> You need a rule to allow it on the FORWARD chain (or a chain it calls) too, not just the SNAT/MASQUERADE rule 11:31 < Cubox> ╰─➤ cat /etc/default/ufw 1 ↵ 11:31 < Cubox> DEFAULT_FORWARD_POLICY="ACCEPT" 11:31 < Cubox> (this is a part of the file) 11:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:31 -!- mode/#openvpn [+v s7r] by ChanServ 11:32 <+pekster> Oh, okay. I blindly assumed the 'ufw-reject-forward' chain would reject it; apparently not 11:32 <+pekster> (those are some ugly rules, but I guess I've just never seen ufw-generated rules before) 11:33 <+pekster> And ipforwarding is on? Can you 'cat /proc/sys/net/ipv4/ip_forward' and get 1? 11:33 < Cubox> Yep, 1 11:33 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 11:34 <+pekster> If you do a 'ping 4.2.2.1' or such client-side, can you tcpdump the tun0 interface and see packets? 11:34 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0.1/20130116073211]] 11:35 <+pekster> The server-side firewall looks okay, given the ACCEPT policy on the FORWARD chain (ultimately you probably want to fix that, but it's okay for now for testing) 11:35 < Cubox> Doing that 11:37 < Cubox> 18:36:56.205183 IP 10.8.0.2 > 8.8.8.8: ICMP echo request, id 24294, seq 79, length 64 11:37 < Cubox> 18:36:56.610825 IP 10.8.0.2.54554 > Alduin.60001: UDP, length 94 11:37 < Cubox> 18:36:56.761679 IP Alduin > 10.8.0.2: ICMP Alduin udp port 60001 unreachable, length 130 11:38 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Read error: Connection reset by peer] 11:38 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 11:38 < Cubox> strange o.O 11:38 <+pekster> So the ping goes through (not sure about that UDP stuff, but I'll happily ignore that for now.) You get no reply though 11:39 < Cubox> 18:37:09.216401 IP 10.8.0.2 > 8.8.8.8: ICMP echo request, id 24294, seq 92, length 64 11:39 < Cubox> and no reply 11:39 <+pekster> If you do the same dump on the outside-facing interface do you see the packet go out? 'tcpdump -pnvi enpls0 and host 8.8.8.8' ? 11:39 <+pekster> (that tcpdump will make sure it doesn't spam you with normal traffic during the dump) 11:40 <+pekster> Erm, no 'and' 11:40 <+pekster> Just 'host 8.8.8.8' 11:41 <+pekster> Maybe it's not going out that interface? 11:41 < Cubox> enp1s0 or enp1s0:1 ? 11:41 <+pekster> If you get no traffic doing that tcpdump, please post output of 'ip route show table all' 11:41 <+pekster> Oh, right, 'enpls0' since the alias is just that 11:41 <+pekster> My guess is that it's using the wrong interface, namely the primary IP on that interface, not the alias 11:42 <+pekster> Actually, you might be able to verify that via 'iptables -t nat -xnvL POSTROUTING' too 11:42 < Cubox> http://paste.placeholder.fr/show/173/ 11:42 <+pekster> If you see a '0' in the packet column (that's the rule hitcount) then it's not getting matched 11:42 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:42 <+pekster> Yea, so your're not SNAT'ing the traffic 11:43 <+pekster> I don't think you can MASQUERADE on an alias like that 11:43 < Cubox> http://paste.placeholder.fr/show/174/ 11:43 <+pekster> You can't magically make traffic come from a 2nd IP like that; you need routing rules/tables to do that 11:45 < Cubox> hmm 11:45 <+pekster> Cubox: So, that default route on line 2 of the route output, means that it goes out via the primary IP of enpls0, not any of the secondary ones 11:45 <+pekster> You can't match on an alias like that in netfilter, becuase the alias doesn't actually exist (it's just a 2nd IP on the same interface) 11:46 < Cubox> yeah, I see 11:46 <+pekster> If you want to use a 2nd upstream IP, you need to specificlly declare it in the 'src' attribute of a routing table entry, and if you don't want that to be the default for all packets, you must define routing rules to send the traffic to a non-default routing table 11:46 <+pekster> see 'man ip' for the syntax, and 'ip route help' and 'ip rule help' for rule/route specific usage commands 11:46 <+pekster> It's non-trivial to set up policy routing like that 11:47 <+pekster> Here's a nifty guide from the LARTC group: http://lartc.org/howto/ 11:47 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 256 seconds] 11:47 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 11:47 <+pekster> If you're already very familiar with 'ip' command usage, you can skip to chapter 4. Otherwise, starting at the beeginning will help you understand what's going on 11:48 <+pekster> Cubox: Hmm, maybe you can try using -j SNAT --to-source 192.95.18.155 ? 11:48 <+pekster> I don't actually know if that does the right thing or not, but it might be worth a shot 11:49 <+pekster> Since it's the same interface, it might just work. Also change your -o to read simply '-o enpls0' without the alias 11:49 < Cubox> pekster: Where do I add this ? 11:50 <+pekster> In the firewall output you gave me, change line 7 to read like so: -A POSTROUTING -s 10.8.0.2/32 -o enp1s0 -j SNAT --to-source 192.95.18.155 11:52 < Cubox> zomfg 11:52 < Cubox> pekster: Marry me. 11:52 < Cubox> pekster: are you a girl ? 11:52 <+pekster> Congrats. And I'm merely a screenname on the Internet 11:53 <+pekster> So, the issue is that the MASQUERADE target always uses the primary IP of an interface (see the iptables-extensions manpage for details) 11:53 < Cubox> yeah 11:53 <+pekster> You didn't want that, and your routing table already handled the next-hop properly 11:53 <+pekster> Normally you can't use SNAT like that, but both your different IPs are on the same interface, so it all works out without work defining policy routing 11:54 < Cubox> :) 11:54 < Cubox> Thanks :) 11:54 <+pekster> Yup 11:54 < Cubox> Next step : IPv6 11:54 < Cubox> but not today ! 11:54 <+pekster> At least there's no NAT there... 11:54 < Cubox> yes. 11:54 < Cubox> but i'm not really good at routing :P 11:55 < Cubox> specially with IPv6 11:55 <+pekster> Same game, bigger numbers 11:55 < Cubox> yeah 11:56 -!- lololojfegdiufhg [~root@thunderaan.cubox.me] has quit [Quit: WeeChat 0.3.9.2] 11:59 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Read error: Operation timed out] 12:22 -!- AlbinoGeek [AcademyInt@academyintl/director/AcademyIntl] has quit [Quit: I need a new quit message.] 12:28 -!- lipi [~lipi@69.204.223.87.dynamic.jazztel.es] has quit [Quit: Me'n vaig] 12:36 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 12:39 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Remote host closed the connection] 12:39 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 12:54 -!- Tomoyo [Wintereise@113.11.122.231] has joined #openvpn 12:54 -!- Tomoyo is now known as Guest47194 12:58 -!- Wintereise [Wintereise@113.11.122.231] has quit [Ping timeout: 248 seconds] 13:02 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 13:03 -!- Orbi [~opera@anon-149-217.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 13:06 -!- [fred] [fred@konfuzi.us] has quit [Ping timeout: 246 seconds] 13:07 -!- [fred] [fred@konfuzi.us] has joined #openvpn 13:07 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has quit [Ping timeout: 246 seconds] 13:08 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn 13:11 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 13:13 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 13:14 -!- Guest47194 [Wintereise@113.11.122.231] has quit [Ping timeout: 256 seconds] 13:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 13:27 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 13:29 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 13:45 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has joined #openvpn 13:52 -!- Rolybrau [nemysis@unaffiliated/rolybrau] has quit [Quit: Rolybrau] 14:11 -!- Porkepix [~Porkepix@lns-bzn-45-82-65-137-188.adsl.proxad.net] has quit [Ping timeout: 260 seconds] 14:13 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-63-56.adsl.proxad.net] has joined #openvpn 14:26 -!- frsk [fredrik@joy.frsk.net] has joined #openvpn 14:29 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 14:30 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 240 seconds] 14:37 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn 15:12 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 15:32 -!- Cubox [cubox@unaffiliated/cubox] has left #openvpn ["WeeChat 0.4.0-rc1"] 15:48 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 15:50 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 15:50 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [] 15:53 -!- Cubox` [cubox@unaffiliated/cubox] has joined #openvpn 15:53 -!- Cubox [cubox@unaffiliated/cubox] has quit [Client Quit] 15:53 -!- Cubox` [cubox@unaffiliated/cubox] has quit [Client Quit] 15:54 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn 15:59 -!- Cubox [cubox@unaffiliated/cubox] has left #openvpn ["WeeChat 0.3.9.2"] 16:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 252 seconds] 16:36 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds] 17:32 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has joined #openvpn 17:45 < Tativie> I am getting "WARNING: No server certificate verification method has been enabled." however the session seems to work well. However, the session seems to reset the key every 30 or so minutes: "TLS: tls_process: killed expiring key" is this something I should be concerned with. I would like for the encryption to be as strong as possible, even at expense to speed. 17:51 < Tativie> From the site "SSL/TLS renegotiation handshake which occurs once per client per hour" hmm maybe that is all I am seeing? 17:53 < Tativie> Looks like "cipher AES-256-CBC" might be a good choice? Or is there a stronger one? Is blowfish's 128 better in some ways? 17:55 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 17:56 < Tativie> "http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc71335.1502/html/aserbwin/aserbwin27.htm" suggests "TLS_RSA_WITH_AES_256_CBC_SHA" is the strongest? Any advice? 18:10 < Tativie> Maybe I should try adding 'persist-key' & 'persist-tun' in the .conf? 18:11 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 18:13 < dioz> sounds reasonable 18:18 -!- Guest19661 [~LaStik@62.109.16.198] has quit [Quit: Peace.] 18:19 < Tativie> dioz, does having a short lived key have any advantages? 18:20 -!- b1rkh0ff [~b1rkh0ff@178.77.21.223] has quit [Ping timeout: 252 seconds] 18:20 < dioz> in terms of data encryption yeah it probably would 18:21 < dioz> if the party changes keys used at regular intervals 18:33 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has joined #openvpn 18:47 <+pekster> Tativie: You have 2 choices for cipher/auth: one for the TLS control channel, and another for the data encryption/hash. I prefer blowfish (I tend to use 128 or 256-bit symmetric keys for that) as BF is generally faster during encryption and only slower during re-keying (which doesn't matter since you have a grace window anyway) 18:47 <+pekster> Tativie: You can improve your security against MITM downgrade attacks by limiting your allowed TLS ciphers to only those you select, or just a single one 18:48 <+pekster> As far as re-keying, the default values are probably fine; I tend to lower my tran-window to about 10 minutes instead of the default of 60, but that's just preference really 18:50 < Tativie> pekster: what line would I need to put in the .conf for 'cipher blowfish 256-bit symmetric key' and what would I need to put in the .conf to change the re-keying time to 10 minutes? 18:50 <+pekster> See 'openvpn --show-ciphers' for a cipher list that you use with the 'cipher' directive in the config file 18:51 <+pekster> The default keysize is used, unless the 'keysize' directive is specified 18:51 < Tativie> Also should I use 'user nobody' & 'group nobody' on both server and client side .conf files? 18:51 <+pekster> See also: --tran-window for the time the old key is valid after symmetric re-key is initiated 18:52 <+pekster> Tativie: Mixed bag as far as user downgrade. It can help if the application is ever compromised, but it means you must use --persist-key and possibly --persist-tun (depending on scripts/configuration) which lowers security slightly in the sense that the key material is in-RAM all the time 18:53 <+pekster> That's "usually" okay in a proper Unix-like environment with mlock, although I tend not to downgrade since it causes me more problems with my dynamic firewalling/routing I do on many of my VPN servers 18:53 <+pekster> Ultimately you need to figure out what method you consisder more secure 18:54 <+pekster> Here's my "standard" boilerplate TLS setup: http://fpaste.org/afNV/ 18:54 <+pekster> (you can use line 6 or 7 as you prefer based on how you sign your certs) 18:55 <+pekster> I just use the EKU only, so I use that as my client/server differentiator 18:55 <+pekster> Same for the client, but it has the server/TLS Web Server Authentication values for the remote cert 18:57 < Tativie> hmm. okay. Thanks for the help. I think that I need to do some more research to understand it better. I'm not even sure if I signed the certs right or not. But it does seem to be working. 18:58 <+pekster> The warning you get means that another valid client could pose as a server to the system issuing that warning 18:59 <+pekster> You should use a remote-cert validation method to restrict the client to talk to only certs that have been designated as a "server" cert; if you use easy-rsa it does that for you, or you can use the proper KU/EKU/ns-cert-type values yourself when you sign (if you manage your own PKI) 18:59 <+pekster> See: 18:59 <+pekster> !mitm 18:59 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: ns-cert-type server in the client config 18:59 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has left #openvpn [] 19:02 < Tativie> Thanks, I will check it out and try setting it up sometime. 19:03 <+pekster> !mitm forget 3 19:04 <+pekster> !forget mitm 3 19:04 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:04 <+pekster> :\ 19:05 <+pekster> That should be remote-cert-tls as the new-and-preferred method 19:10 < Tativie> It looks like the server .conf file already has the persist-tun and persist-key active. Is the client does specify it also it uses expiring keys? 19:11 < Tativie> If the client does* 19:11 < Tativie> *does not specify* 19:11 <+pekster> All the --persist-* options only impact the local side, not the remote 19:11 <+pekster> It's for the X509 keys, not the ephemeral symmetric ones 19:12 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has quit [Ping timeout: 246 seconds] 19:16 < Tativie> hmm, okay. I don't fully understand, but I take it that means the server .conf's use of the persist options does not really matter for my current session? 19:18 <+pekster> I don't understand the question 19:24 -!- nucl3ar [~atom@c-69-247-138-234.hsd1.tn.comcast.net] has quit [Quit: leaving] 19:26 -!- Guest47194 [~reise@180.210.201.168] has joined #openvpn 19:27 -!- Wintereise [Wintereise@113.11.122.231] has quit [Ping timeout: 246 seconds] 20:09 -!- HyperGlide [~HyperGlid@182.151.63.232] has joined #openvpn 20:18 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 248 seconds] 20:45 -!- HyperGlide [~HyperGlid@182.151.63.232] has quit [Remote host closed the connection] 20:45 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 20:47 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:51 -!- Cpt-Oblivious [~Cpt-Obliv@a202101.upc-a.chello.nl] has quit [Ping timeout: 248 seconds] 20:55 -!- mojtaba [~Thunderbi@CPE0026f321a168-CM0026f321a165.cpe.net.cable.rogers.com] has joined #openvpn 20:55 < mojtaba> Hi 20:55 < mojtaba> I have just installed openvpn 20:55 < mojtaba> Is there anybody who can help me to configure it? 20:55 < mojtaba> I have installed it on latest version of Ubuntu 20:56 < mojtaba> and would like to connect to it with windows clients and also with android mobile clients. 20:56 < mojtaba> I am also pretty new to Linux era. 20:56 < mojtaba> Any simplified help is highly appreciated. 20:57 < mojtaba> Is anybody there? 20:57 < mojtaba> hello? 20:57 < dioz> hi 20:57 < mojtaba> dioz: hi 20:57 < mojtaba> Can you help me? 20:58 < dioz> !welcome 20:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 20:58 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:59 < mojtaba> vpnHelper: Could you explain more, (sorry), I am also new to IRC. 20:59 < mojtaba> I would like to access internet through openvpn to bypass filtering. 21:00 < mojtaba> I am going to set it up in my home and go to trip. 21:02 < mojtaba> hello? 21:02 < mojtaba> Anybody there? 21:27 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 260 seconds] 21:40 < EugeneKay> Nope. 21:40 < EugeneKay> !howto 21:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror 21:40 < EugeneKay> !redirect 21:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 21:40 <@vpnHelper> http://ircpimps.org/redirect.png 21:41 < EugeneKay> Getting the basic VPN working(being able to ping over the tun interface) is the hardest part, because of the PKI stuff. 21:41 < EugeneKay> The howto covers it all pretty well. 21:41 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 22:00 -!- black_ [black@2001:470:8cf8::29] has joined #openvpn 22:00 -!- blackmagic [~black@ip98-185-21-138.rn.hr.cox.net] has quit [Quit: Leaving] 22:00 -!- black_ is now known as blackmagic 22:04 -!- blackmagic [black@2001:470:8cf8::29] has quit [Quit: ZNC - http://znc.in] 22:49 -!- blackmagic [black@2001:470:8cf8::29] has joined #openvpn 23:35 -!- blackmagic [black@2001:470:8cf8::29] has quit [Quit: ZNC - http://znc.in] 23:40 -!- blackmagic [black@got.laid.using.blackmajic.org] has joined #openvpn --- Day changed Mon Jan 21 2013 00:04 -!- Tativie [~Tativie@gateway/tor-sasl/tativie] has quit [Quit: Leaving.] 00:07 -!- mojtaba [~Thunderbi@CPE0026f321a168-CM0026f321a165.cpe.net.cable.rogers.com] has quit [Quit: mojtaba] 00:08 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has joined #openvpn 00:38 -!- EugeneKay [eugene@itvends.com] has quit [Quit: ZNC - http://znc.in] 00:38 -!- EugeneKay [eugene@stretchmyan.us] has joined #openvpn 00:49 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 00:59 -!- Guest47194 [~reise@180.210.201.168] has quit [Ping timeout: 244 seconds] 01:00 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 01:00 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 01:00 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 01:15 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 01:33 -!- Friberg [~Friberg@h-223-133.a176.priv.bahnhof.se] has quit [Ping timeout: 255 seconds] 01:47 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 01:47 < Minnebo> !bridge 01:48 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge 01:48 < Minnebo> !whybridge 01:48 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 01:58 < Minnebo> openvpn is a pain in the ass 01:58 < Minnebo> i guess i will install pfsense 02:13 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 02:13 -!- thinkHell [~Hell@85.15.47.27] has joined #openvpn 02:18 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has joined #openvpn 02:18 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has quit [Changing host] 02:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:18 -!- thinkHell [~Hell@85.15.47.27] has quit [Quit: ["pop()"]] 03:38 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:14 -!- fling [~fling@fsf/member/fling] has joined #openvpn 04:15 < fling> how to remove a key from easy-rsa base? 04:15 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 04:17 < fling> do I need to just delete files? what about .pem? 04:51 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 04:52 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 248 seconds] 04:55 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 05:02 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Ping timeout: 246 seconds] 05:03 -!- HyperGlide [~HyperGlid@182.149.69.53] has joined #openvpn 05:23 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 244 seconds] 05:25 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 05:26 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 05:41 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has quit [Quit: ByeBye] 05:47 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 256 seconds] 05:55 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 05:58 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 256 seconds] 06:03 -!- dydzEz2_ [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has joined #openvpn 06:05 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Ping timeout: 244 seconds] 06:06 -!- dydzEz2 [dydzEz2@c-67-163-13-78.hsd1.il.comcast.net] has quit [Ping timeout: 248 seconds] 06:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds] 06:11 -!- ikonia [~irc@unaffiliated/ikonia] has left #openvpn [] 06:13 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 252 seconds] 06:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:15 -!- HyperGlide [~HyperGlid@182.149.69.53] has quit [Remote host closed the connection] 06:16 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 248 seconds] 06:16 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has joined #openvpn 06:16 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 06:18 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 06:19 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has joined #openvpn 06:19 -!- ade_b [~Ade@109.58.66.70.bredband.tre.se] has quit [Changing host] 06:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:27 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 06:28 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 255 seconds] 06:30 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 06:30 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 06:36 -!- brute11k1 [~brute11k@89.249.230.101] has joined #openvpn 06:37 -!- brute11k [~brute11k@89.249.230.101] has quit [Ping timeout: 240 seconds] 06:39 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 256 seconds] 06:42 -!- mh__ [~mh@dev.hollo.dk] has joined #openvpn 06:42 < mh__> hi.. im looking for a way to validate when my ssl cert expires remotely, is that possible somehow? 06:42 < mh__> i have been looking at the parameters that i can give openssl.. but cannot really find a way 06:43 < AsadH> What do you mean mh__? 06:43 < AsadH> Take a look at http://uk1.php.net/openssl_x509_parse 06:43 <@vpnHelper> Title: PHP: openssl_x509_parse - Manual (at uk1.php.net) 06:43 < mh__> AsadH: i would like my nagios server to monitor when my server cert of my openvpn server expires.. 06:43 < mh__> AsadH: thanks a lot 06:46 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [] 06:46 -!- Winterei- [~reise@205.185.126.190] has joined #openvpn 06:51 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 06:52 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 06:54 < mh__> hm.. but that requires that i have the public cert.. are there any way to get the cert from a remote host? that will be the first step.. 06:54 <@ecrist> no 06:56 -!- IT2 [~userit@86.120.191.55] has joined #openvpn 06:56 < mh__> okay.. that make my search a lot easier.. 06:56 < AsadH> mh__ I think you can 06:57 <@ecrist> you need the certificate to check the expiration date. 06:57 <@ecrist> you could have a server-side client-connect script, though 06:57 <@ecrist> since that data is part of what's checked by openvpn 06:57 < AsadH> http://www.asadhaider.co.uk/test.php 06:57 < AsadH> gets google cert info 06:57 < AsadH> [validTo] => 130930235959Z 06:58 < mh__> AsadH: you did that with the openssl functions in php? 06:58 <@ecrist> AsadH: that's because google presents their certificate for connecting web clients 06:58 <@ecrist> openvpn clients don't present their certificate, since they're not listening for connections 06:58 < AsadH> oh, you mean openvpn certs? 06:58 < AsadH> Sorry :P 06:58 < AsadH> I don't even use openvpn 06:58 < mh__> AsadH: oh okay.. yes thats openvpn certs 06:58 <@ecrist> wtf are you here for, then, AsadH? 06:59 < AsadH> Oh, no. That's for SSL certs 06:59 < mh__> then the answer would be no.. well.. then i just have to make the check on the firewall 06:59 -!- IT2 is now known as Marius 06:59 -!- Marius is now known as Guest25156 06:59 < AsadH> ecrist: I'm planning to use it at some point :P I've only used openvpn-as 07:01 -!- Guest25156 [~userit@86.120.191.55] has left #openvpn [] 07:04 -!- Winterei- is now known as Wintereise 07:04 -!- Wintereise [~reise@205.185.126.190] has quit [Changing host] 07:04 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 07:09 -!- mh__ [~mh@dev.hollo.dk] has left #openvpn [] 07:31 -!- niervol [~krystian@193.106.244.150] has quit [Read error: No route to host] 07:36 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 07:56 -!- khem_ [~x@lotus.redl8.com] has joined #openvpn 07:57 < khem_> is there some good way to monitor a OpenVPN service without running a management interface for each and every OpenVPN daemon, if i have several of them? 08:01 -!- niervol [~krystian@193.106.244.150] has quit [Quit: Leaving.] 08:04 -!- niervol [~krystian@193.106.244.150] has joined #openvpn 08:04 < blackmagic> management interface? 08:05 < AsadH> he might mean access server 08:07 < con3x> SSH! 08:08 < con3x> :P 08:08 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 08:10 -!- HyperGlide [~HyperGlid@li385-100.members.linode.com] has quit [Remote host closed the connection] 08:16 -!- zu [~zu@ks387228.kimsufi.com] has quit [Ping timeout: 276 seconds] 08:18 -!- Porkepix [~Porkepix@lns-bzn-33-82-252-63-56.adsl.proxad.net] has quit [Ping timeout: 248 seconds] 08:37 -!- gustavoz [~gustavoz@host110.190-225-90.telecom.net.ar] has joined #openvpn 08:47 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has joined #openvpn 08:59 -!- d12fk [~heiko@exit0.net] has joined #openvpn 09:00 <@ecrist> khem_: no 09:00 <@ecrist> you need to monitor each process separately, or you need to monitor each processes status-log 09:01 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 09:14 <+pekster> fling: If you want to revoke a cert you've issued, you should use the revoke-full script, and then generate and publish the CRL to your server so the certificate can't be used by a client that no longer should connect 09:15 < fling> pekster: hmm hmm 09:16 < fling> pekster: what is CRL? 09:16 <+pekster> !crl 09:16 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that 09:16 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you 09:21 -!- grass_ [pinne@46.246.119.109] has left #openvpn [] 09:23 -!- Daedy [~deed02392@ks353738.kimsufi.com] has quit [Read error: Operation timed out] 09:26 -!- deed02392 [~deed02392@ks353738.kimsufi.com] has joined #openvpn 09:46 < AsadH> novaflash ! 09:46 < AsadH> novaflash novaflash novaflash http://i.imgur.com/ELGcY8x.jpg 09:48 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 09:49 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 09:51 -!- Minnebo [~Minnebo@office.exabyte.be] has joined #openvpn 09:52 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Operation timed out] 09:55 -!- Minnebo_ [~Minnebo@office.exabyte.be] has joined #openvpn 09:55 -!- Minnebo [~Minnebo@office.exabyte.be] has quit [Read error: Connection reset by peer] 09:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:12 -!- brute11k1 [~brute11k@89.249.230.101] has quit [Ping timeout: 256 seconds] 10:12 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 10:22 -!- master_of_master [~master_of@p57B52132.dip.t-dialin.net] has quit [Ping timeout: 252 seconds] 10:24 -!- master_of_master [~master_of@p57B5425D.dip.t-dialin.net] has joined #openvpn 10:27 -!- nimbius [~cicero@108-85-136-152.lightspeed.irvnca.sbcglobal.net] has joined #openvpn 10:28 < nimbius> hi openvpn, i have a private key with a password. how can i supply it during connection? 10:28 < nimbius> !welcome 10:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:28 < nimbius> !goal i want to supply my private key password during connection 10:29 -!- MeanderingCode [~Meanderin@199.254.238.179] has joined #openvpn 10:29 <+pekster> nimbius: Normally the passphrase for an encrypted X509 key will be prompted for on STDIN; some frontends use the management interface to supply it using a method more suitable to the program (eg: a GUI window or such for a graphical frontend) 10:29 <+pekster> You can techncially tell openvpn to get the passphrase from a text file, but doing some largely makes encrypting your key pointless since anyone who can find the config can see the path to the file with your plaintext passphrase 10:30 < nimbius> pekster: thanks. im using an init.d script that references my openvpn.conf for the office 10:31 <+pekster> Then pick a more suitable method since STDIN isn't normally exposed to the user during distro init processing. Maybe use the management interface and look at the '--management-hold' option until you manually give it the passphrase, or don't encrypted your key if you want it to automatically connect without user input 10:32 <+pekster> nimbius: References in the manpage for you to consider can be found in the following directives: --management, --management-hold, --management-client-auth, and --auth-user-pass 10:33 <+pekster> Or decrypting the key via 'openssl rsa -in encrypted.key -out unencrypted.key' 10:33 -!- Minnebo_ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 252 seconds] 10:49 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 10:49 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has joined #openvpn 10:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:55 < nimbius> pekster: thanks for your help :) openvpn runs well now! 10:55 -!- nimbius [~cicero@108-85-136-152.lightspeed.irvnca.sbcglobal.net] has left #openvpn ["ahoi"] 10:57 -!- raidz_away is now known as raidz 10:58 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 11:02 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 11:02 -!- Valcorb [Valcorb@94-226-106-113.access.telenet.be] has quit [Ping timeout: 256 seconds] 11:04 -!- Azrael808 [~peter@212.161.9.162] has quit [Read error: Operation timed out] 11:18 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 11:19 -!- Minnebo_ [~Minnebo@78-23-254-38.access.telenet.be] has joined #openvpn 11:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 11:23 -!- mode/#openvpn [+v s7r] by ChanServ 11:24 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 260 seconds] 11:24 -!- Valcorb [~Valcorb@199.229.249.189] has quit [Ping timeout: 252 seconds] 11:25 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:26 -!- dazo is now known as dazo_afk 11:29 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 11:37 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Ping timeout: 264 seconds] 11:37 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 264 seconds] 11:37 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 264 seconds] 11:37 -!- Champi [Champi@rootshell.fr] has joined #openvpn 11:38 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 264 seconds] 11:38 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has quit [Ping timeout: 264 seconds] 11:41 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 11:42 -!- BtbN [~btbn@btbn.de] has joined #openvpn 11:42 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn 11:43 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 11:47 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:49 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:50 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 11:51 -!- catsup [~d@64.111.123.163] has joined #openvpn 11:56 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 11:59 -!- combat7331 [~Mamba@d54C66165.access.telenet.be] has joined #openvpn 11:59 < combat7331> Hello 11:59 < combat7331> How can I randomely set the IP that is connected to with OpenVPN 11:59 -!- Netsplit *.net <-> *.split quits: @vpnHelper, clu5ter, b00gz_, dioz, ben1066, DBordello, Cybertinus, ngharo, KiNgMaR, |Mike| 11:59 -!- Netsplit over, joins: Cybertinus, clu5ter 11:59 < combat7331> Something like ISP do, "Dynamic IP" 12:00 -!- b00gz_ [uid6869@gateway/web/irccloud.com/x-yssobzmevvtknuoq] has joined #openvpn 12:00 -!- AsadH is now known as zz_AsadH 12:00 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 12:01 <+pekster> combat7331: Are you asking about how to randomly connect to one of a number of profiles, or to hand out IPs from your server-side pool of IPs in a random fashion 12:07 -!- ngharo [~ngharo@shepard.sypherz.com] has joined #openvpn 12:10 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has joined #openvpn 12:10 -!- ben1066 [~quassel@2a03:b200:9::824e:1e6e] has quit [Changing host] 12:10 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn 12:10 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 12:10 -!- DBordello [~DBordello@unaffiliated/dbordello] has joined #openvpn 12:11 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 12:11 -!- KiNgMaR [~ingmar@2a00:1828:2000:289::cafe:d00d] has joined #openvpn 12:11 < combat7331> @pekster, just randomly everytime a user connects a new IP. 12:11 <+pekster> I still don't understand. Randomize what? I also don't understand "everytime a user connects to a new IP" either 12:12 <+pekster> By default, OpenVPN already acts similar to DHCP in that a client only gets an IP from the server for as long as they remain connected 12:12 < combat7331> Everytime a user connects to my OpenVPN server, it should assign that customer a random external IP. 12:12 <+pekster> If the user disconnects and reconnects, they may or may not get the same IP from the pool depending on pool avaibility 12:13 < combat7331> I am not regarding to the internal IP's. More about the external IP, that are assigned by the provider to me. 12:13 <+pekster> Okay, if you want that, you'll need to manage that in a --client-connect script and dyanmically generate an 'ifconfig-push' value in the temp file that script is passed to marshal the desired "random" IP to a client 12:13 <+pekster> OpenVPN does not care about any external association you have 12:13 < combat7331> Ah yeah, right. 12:13 < combat7331> Thanks 12:14 <+pekster> If you're using RFC1918 IPs to clients, that's fine. If you're somehow binding those unroutable IPs to an external IP, you need to do that dynamically via whatever scripting method you choose to manage the association 12:14 <+pekster> OpenVPN can hand out public IPs too, just like with private IPs. You should of course own the IP block you're using if you do that 12:14 < combat7331> I do own that 12:15 <+pekster> OpenVPN manages the pool for you with 'ifconfig-pool'. You're free to manage it yourself, but then it's on you to figure out how to keep track of free vs in-use IPs from the range you pass to clients 12:15 < combat7331> how does that ifconfig-push thing work? 12:16 <+pekster> Check the manpage for --ifconfig-push and feel free to ask a specific question if you're still confused after reading the supplied documentation 12:17 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 264 seconds] 12:18 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Remote host closed the connection] 12:21 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 12:43 -!- Eagleman [~Eagleman@5.45.183.189] has joined #openvpn 12:43 -!- zz_AsadH is now known as AsadH 12:44 < Eagleman> Are there ways to improve the connection bandwidth when using redirect-gateway ? 12:45 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has quit [Read error: Connection reset by peer] 12:46 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds] 12:47 < combat7331> !man 12:47 <+pekster> Eagleman: That depends completely on where your bottleneck is. You're going to be limited at a theoretical level to the bandwidth of the VPN link in such a case, plus whatever limits your server has on its uplink 12:48 < Eagleman> This is what currently happens, when i test the openvpn endpoint it reaches 80-80 Down-Up: http://imagebin.org/243705 12:48 <+pekster> That's not surprising. What is your server provisioned for? 12:48 < Eagleman> VPS 12:48 <+pekster> No, bandwidth-wise 12:49 <+pekster> Maybe you mis-understand how redirect-gateway works; all the client traffic is sent to the remote endpoint, and it then routes the traffic through that point on the Internet. You're limited both in terms of the VPN link itself and the aggrigate of all traffic that host is generating against its provisioned limits 12:49 < Eagleman> pekster, just did a test: http://www.speedtest.net/result/2452448715.png 12:50 <+pekster> Oh the server? 12:50 < Eagleman> yes 12:50 < Eagleman> It higher than my current network 12:50 -!- Wintereise [~reise@unaffiliated/wintereise] has quit [Ping timeout: 252 seconds] 12:50 <+pekster> You can try increasing the --replay-window beyond default values 12:51 < Eagleman> 79 vs 57 down and 42 vs 5 up 12:51 <+pekster> You might be running into window-limitations on how many packets out the encrypted stream is willing to support 12:51 <+pekster> Try 2x or 4x the default packet value (you need that on both peers) and see if your situation improves after a client reconnect 12:52 < Eagleman> will try 12:52 <+pekster> CPU shouldn't be an issue, but you can rule it out by making sure you don't peg a core on either the client or server to verify it's not a problem there 12:52 < Eagleman> resource wise its not even using enough worth to mention 12:53 < Eagleman> 2-3% increase of cpu power 12:53 <+pekster> Yea, that's usually the case unless you use embedded hardware or load a single-server instance up 12:54 < Eagleman> --replay-window n [t] You are talking about the default 64 in n ? 12:54 <+pekster> Yea. You can really leave t alone (it's optional anyway.) Try 128 or 256 and see if results improve 12:55 <+pekster> If they do, see what the value after which you stop seeing improvement; you want to keep that "as low as feasible" becuase it limits replay attacks that can be performed, but too low and it'll interfere with packet delivery where the product if your bandwidth & latency is high (IIRC the manpage notes this too) 12:56 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 12:56 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 12:57 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 12:57 -!- Wintereise [Wintereise@113.11.122.231] has quit [Changing host] 12:57 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 12:57 < Eagleman7> wow 12:58 < Eagleman7> The overhead is almost eliminated 12:58 < Eagleman7> http://www.speedtest.net/result/2452470216.png 12:58 -!- Eagleman [~Eagleman@5.45.183.189] has quit [Ping timeout: 255 seconds] 12:58 <+pekster> Part of the issue is a fairly high bandwidth your server has combined with a ~100ms increase in latency across the VPN 12:58 <+pekster> That's a non-trivial amount of latency given the bw you're pushing 12:59 < Eagleman7> Which issue? 12:59 < Eagleman7> I think i missed a part 12:59 <+pekster> Lower VPN bw verses link potential 12:59 < Eagleman7> [19:55] Ow, i am still on a tcp connection is when i disconnected 13:00 <+pekster> The manpage explains in plenty of detail what the option does at a technical level, but basically you're pushing packets so fast it's dropping them as detected "replay attack" packets. If you use 'verb 4' you can see those warnings in your logs too 13:00 < Eagleman7> That only happens with tcp ? 13:01 <+pekster> It only happens with udp 13:01 <+pekster> (as the OpenVPN encapsulating protocol) 13:01 <+pekster> TCP has guarenteed delivery and ordering built into the protocol 13:01 < Eagleman7> hmm, i switched from tcp to udp and it elminated the overhead 13:01 -!- Tomoyo [Wintereise@113.11.122.231] has joined #openvpn 13:02 -!- Tomoyo is now known as Guest88161 13:02 <+pekster> You don't want to use tcp as the ovpn protocol unless you need it for some reason 13:02 <+pekster> It's a waste of overhead and performs poorly when encapsulating another TCP stream inside 13:03 < Eagleman7> pekster the main reason i was using it is becuase my school is almost blocking every port, so i used 443 with tcp 13:03 <+pekster> I'll sometimes run a 2nd VPN server on some common TCP ports, but often you can get away with UDP on ports 53 or similarlly common values 13:03 < EugeneKay> You can almost always find an open udp port 13:04 <+pekster> An IDS/DPI system will catch it, but it's not too common to find those on general-access networks 13:04 <+pekster> I tend to run 2 servers, one for UDP and another (backup-only) on TCP and just forward a slew of common ports if I'm not using them so I have good chance for remote access on abusive firewalls 13:05 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Ping timeout: 240 seconds] 13:06 < Eagleman7> Cant remember which ports are open, i am currently doing my internship so i cant test it out for a few weeks 13:06 < Eagleman7> But i will when i back 13:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 13:06 -!- mode/#openvpn [+o vpnHelper] by ChanServ 13:08 < Eagleman7> SHould also setup my openvpn server to listen to multiple ports 13:08 <+pekster> OpenVPN won't do that; your firewall/NAT setup can enable it though 13:09 < Eagleman7> Multiple instances* 13:10 <+pekster> '-A PREROUTING -p udp -m multiport --dports 1194,53,66,67,161 -j DNAT --to-destination $IP_GOES_HERE:1194' or similar 13:10 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Quit: [self sleep]] 13:10 <+pekster> Sure, multiple instances too, but I'm not going to run dozens of instances just to get them exposed on multiple ports 13:10 < Eagleman7> Aha, thanks will save it 13:10 < Eagleman7> well i need atleast to, one for udp and tcp right? 13:11 < Eagleman7> to=two 13:11 <+pekster> If you want both options, yes 13:11 <+pekster> So that's a minimum of 2 openvpn instances, one per protocol. Each needs its own unique network, but you can route between them if you'd like 13:11 <+pekster> (just set the firewall to do it and enable IP forwarding) 13:12 <+pekster> Erm, 67 & 68 was what I meant. I'm sure google can suggest other common ports too 13:13 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 244 seconds] 13:13 < ngharo> pekster: can I bounce an idea off you? Thinkin of making a VPN only accessable web dashboard for my users to modify their routes. Toggle buttons to route out Tor transparent proxy and/or toggle button to route out another VPN tunnel. I'd need to make a sudo exception to allow httpd user to modify routes. Thoughts? 13:14 <+pekster> Why do that server-side? A client-side app can just as easily manage routes if that's your goal 13:15 <+pekster> Otherwise sure, CGI can be configured to use suexec or similar and set the UID/GID of the CGI to do what you need, or have it call a privelage-elevating command (such as via sudo or a suid binary) 13:16 <+pekster> Normally use limit the scope of such elevation as much as possible to limit the potential for a scripting error to an attacker looking to gain access 13:16 < ngharo> guess i'm thinking server-side so I dont have to write platform specific apps 13:16 < ngharo> i'm running a second apache instance bound to tun0 13:17 < combat7331> hello pekster 13:17 < combat7331> If i setup round robin DNS 13:17 < ngharo> still a bit nervous about running commands as root with user input, but my users *shouldn't* be messing around 13:17 <+pekster> Treat security on the httpd the same as you would normally, since you presumably don't want "any" VPN user able to abuse your system 13:17 < combat7331> will it show the same on the external ip. 13:17 <+pekster> Yea 13:17 < combat7331> ?* 13:18 <+pekster> combat7331: No clue. That's well outside the scope of OpenVPN at that point, and boils down to your implementation details 13:18 < ngharo> pekster: ok kewl. thanks, just wanted to make sure I wasn't crafting up a horrible idea 13:18 < combat7331> if i connect to IP "179.56.96.33" will it show as external IP that or the one that is assigned to the default internface? 13:19 < combat7331> interface* 13:19 <+pekster> It's only horrible if you implement it horribly ;) 13:19 < Eagleman7> Thanks for helping pekster, i have to generate some certificates now :). Cya 13:20 < combat7331> local 179.56.96.33-35 13:20 < combat7331> can i do that? 13:21 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has left #openvpn [] 13:21 <+pekster> combat7331: huh? No. What are you trying to do, exactly? --local is for binding the OpenVPN socket to a specific IP 13:22 < combat7331> Random external IP on connection 13:22 < combat7331> i tried via clientconnect 13:22 < combat7331> but I dont understand the ifconfig-push arguments 13:23 <+pekster> They're the same as the --ifconfig directive, but the server sends to the client 13:24 < combat7331> so I would do this in the client connect script: ifconfig-push 179.56.96.33 13:24 <+pekster> Okay, the manpage tells you that you need 2 arguments 13:24 <+pekster> So no. Supply the 2nd arguemnt depenidng on your topology 13:25 < combat7331> ifconfig-push ? 13:25 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 13:25 * pekster sighs 13:25 <+pekster> OpenVPN is *not* responsible for tying a private IP to a public one 13:25 <+pekster> Do that yourself, using whatever firewall/NAT tools you prefer on your OS 13:25 < combat7331> thats not what I want 13:26 <+pekster> Bummer. OpenVPN can't magically maintain an external association outside of its own process 13:26 < combat7331> I just want that everytime somebody connects to my VPN gets a different IP address externally that is shown to the internet. 13:26 <+pekster> I'd like OpenVPn to make me breakfast too, but it lacks support to do that 13:26 < Eagleman7> Any idea why all my internet browsers stop working after i disconnect the openvpn connection? I can nslookup and ping everything just fine, and restarting the webbrowser does not help either, i'm on windows 13:27 <+pekster> combat7331: Then go develop a solution to do that. Write some code to make the assocation between the rfc1918 space you're giving clients, or give them a public IP directly via some code you write to get a random assignment and route traffic to them 13:27 <+pekster> Either way you need to WRITE YOUR OWN CODE to do that. I'm not going to work for free for your business 13:27 <+pekster> OpenVPN does *not* support what you're asking out of the box 13:27 <+pekster> So, go do what business owners do and develop a solution to your problem 13:28 < combat7331> Sure, thanks for the help though :) 13:29 < Eagleman7> Any idea why all my internet browsers keep saying cannot make a connection [ WEBSITE ] after i disconnect the openvpn connection? I can nslookup and ping everything just fine, and restarting the webbrowser does not help either, i'm on windows 13:30 <+pekster> browser proxy perhaps? If you can ping the same target you can't brorwse to, either the browser is misconfigured to connect via the same path, or some firewall is blocking the access (or the host is simply down) 13:31 <+pekster> Doesn't sound like an OpenVPN problem if you can reach the host via other protocols/programs 13:34 < Eagleman7> I go with a restart then 13:34 < Eagleman7> I cant troubleshoot browsers 13:35 -!- combat7331 [~Mamba@d54C66165.access.telenet.be] has quit [] 13:41 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 13:52 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 14:00 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 14:00 -!- MeanderingCode [~Meanderin@199.254.238.179] has quit [Ping timeout: 252 seconds] 14:01 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has joined #openvpn 14:08 -!- dazo_afk is now known as dazo 14:18 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 14:34 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 14:35 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 14:36 -!- Orbi [~opera@anon-186-58.vpn.ipredator.se] has joined #openvpn 14:39 -!- JPeterson [~JPeterson@s213-103-211-58.cust.tele2.se] has joined #openvpn 14:40 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:51 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 14:55 -!- amir [~amir@unaffiliated/amir] has quit [Remote host closed the connection] 15:00 -!- amir [~amir@unaffiliated/amir] has joined #openvpn 15:06 < dioz> haha 15:32 < Orbi> Hi, after a pppoe reset OpenVPN does not always reestablish connection. I want to re-launch openvpn with a bash script. Is it possible to capture the 'Initialization Sequence Completed' message of OpenVPN to use it in the script? 15:40 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 264 seconds] 15:43 < kisom> Orbi: You should just let openvpn handle the reconnection. Check the logs and see why it does not reconnect. 15:43 -!- KaiForce [~chatzilla@adsl-70-228-76-146.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.89 [Firefox 18.0.1/20130116073211]] 15:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [] 15:48 -!- defsdoor [~andy@cpc17-sutt4-2-0-cust175.perr.cable.virginmedia.com] has quit [Quit: Ex-Chat] 15:50 < Orbi> It is a DNS problem, the client cannot resolve the host address. 15:51 -!- Minnebo_ [~Minnebo@78-23-254-38.access.telenet.be] has quit [Ping timeout: 248 seconds] 15:52 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 15:53 < dioz> i'll just troll and say... set the ip address in the .ovpn ? 15:53 -!- dydzEz2__ [~dydzEz2@2601:d:4a80:72:5d05:b2a0:d5f9:d9ad] has joined #openvpn 15:54 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 15:56 -!- dydzEz2_ [Konigsberg@c-67-163-13-78.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds] 15:56 < Orbi> I could, but I'd say it doesn't play nice with dnsmasq. Since I have several computers on the network and that OpenVPN runs on the router, every computer on the network has DNS problem. 15:58 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 15:59 <+pekster> How is that related to openvpn? Use the IP if DNS isn't available when you (re)connect. Otherwise each time a connection is attempted after any timeout, the process will attempt to resolve any DNS name in the 'remote' directive on each connect attempt (persuant to any --resolv-retry setting, which defaults to "infinite" 15:59 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 245 seconds] 15:59 <+pekster> I fail to see how a pppoe event (even if you get a new IP) prevents you from performing a DNS lookup 16:01 < Orbi> I don't know how it is related, that's what I'm trying to figure out. If openvpn is killed before the pppoe connection reset, DNS lookup is fine. 16:02 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 16:05 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [] 16:15 -!- Orbi [~opera@anon-186-58.vpn.ipredator.se] has quit [Ping timeout: 245 seconds] 16:26 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:33 -!- Orbi [~opera@anon-185-71.vpn.ipredator.se] has joined #openvpn 16:38 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has joined #openvpn 16:39 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 16:40 <+pekster> Orbi: It might be binding to the interface that gets torn down. a HUP should fix that, which I suggested a few days ago that you tie into your distro's network post-connection script for the uplink interface 16:41 <+pekster> My suggestion still stands 16:41 -!- u0m3_ [~Radu@92.80.72.203] has quit [Ping timeout: 248 seconds] 16:46 -!- bsdgeek [~bsdgeek@91-66-20-106-dynip.superkabel.de] has joined #openvpn 17:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:05 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Remote host closed the connection] 17:15 -!- Orbi [~opera@anon-185-71.vpn.ipredator.se] has quit [Quit: Orbi] 17:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds] 17:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer] 17:18 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:19 -!- Devastator [~devas@186.214.14.9] has joined #openvpn 17:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 17:31 -!- dazo is now known as dazo_afk 17:34 < dvl> Late last week I installed FreeBSD 9.1 onto a gmirror, which I created during the install process. I documented it via photographs and comments. Hopefully, the next time I do this, it will be useful to refer to this resource. http://bit.ly/VW7bbN 17:34 < dvl> yeah, there's a lot of FreeBSD in here? speak up! 17:35 <+pekster> BSD has been jailed? Free BSD! :P 17:35 <+pekster> 17:40 < dvl> Not bad 17:41 <+pekster> If I decide to remove the cork from one of my wine bottles the jokes might really start to go downhill ;) 17:42 -!- gladiatr [~sdspence@openvpn/community/support/gladiatr] has quit [Quit: Leaving] 17:42 -!- tyteen4a03 [~T4@n218250229105.netvigator.com] has quit [Quit: Leaving] 17:43 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 17:50 -!- b1rkh0ff [~b1rkh0ff@178.77.1.83] has quit [Ping timeout: 256 seconds] 17:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [] 18:26 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-136.233.wb.wifirst.net] has quit [Read error: Operation timed out] 18:28 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 18:39 -!- Devastator [~devas@186.214.14.9] has quit [Changing host] 18:39 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn 19:10 < EugeneKay> Mmmm beer 19:11 * pekster is torn between wine and beer 19:11 <+pekster> Although after fixing my initramfs up earlier, maybe wine is in order 19:12 <+pekster> It's always fun rebooting a box knowing that it'll either come back in a minute or two, or you'll spend the next 20 to 50 minutes with a RS232 cable sitting 2 meters from the box you just hosed ;) 19:15 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has quit [] 19:16 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 19:24 < EugeneKay> My colo has three gateway boxes with keepalived to ensure it doesn't matter :-p 19:24 < EugeneKay> All of my backend boxes are ESXi with vMotion enabld, so the VMs don't care what they're running on. If one of them needs a reboot it's trivial to fix via the console 19:25 < EugeneKay> The only thing I really worry about is my NetApp SANs. I haven't gotten them running clustered quite yet(laziness), so I have to shut all of the VMs down on the one to be rebooted 19:25 < EugeneKay> Buut.... they never reboot. Ever. 19:26 < EugeneKay> One of these days I'll get a second power circuit dropped in and proper stacked switches. 19:26 < EugeneKay> But not this month 19:29 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds] 19:30 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 19:40 -!- raidz is now known as raidz_away 19:40 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 19:40 -!- Guest88161 [Wintereise@113.11.122.231] has left #openvpn [] 19:41 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 19:44 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 20:09 -!- u0m3 [~Radu@92.80.72.203] has joined #openvpn 20:23 -!- Guest88161 [Wintereise@113.11.122.231] has joined #openvpn 20:23 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [Ping timeout: 244 seconds] 20:27 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 21:17 -!- Wintereise [Wintereise@113.11.122.231] has joined #openvpn 21:18 -!- Guest88161 [Wintereise@113.11.122.231] has quit [Ping timeout: 256 seconds] 22:12 -!- Wintereise [Wintereise@113.11.122.231] has quit [Ping timeout: 252 seconds] 22:21 -!- ngharo [~ngharo@shepard.sypherz.com] has quit [Ping timeout: 245 seconds] 22:21 -!- khem_ [~x@lotus.redl8.com] has quit [Ping timeout: 252 seconds] 22:22 -!- ngharo [~ngharo@shepard.sypherz.com] has joined #openvpn 22:22 -!- khem_ [~x@lotus.redl8.com] has joined #openvpn 22:25 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 240 seconds] 22:36 -!- khem_ [~x@lotus.redl8.com] has quit [Ping timeout: 248 seconds] 22:37 -!- khem_ [~x@lotus.redl8.com] has joined #openvpn 22:40 -!- uberushaximus [~uberushax@shepard.sypherz.com] has quit [Ping timeout: 240 seconds] 22:42 -!- uberushaximus [~uberushax@shepard.sypherz.com] has joined #openvpn 22:56 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 252 seconds] --- Day changed Tue Jan 22 2013 00:14 -!- iml_ [~iml@c-24-60-231-68.hsd1.ct.comcast.net] has joined #openvpn 00:14 < iml_> !welcome 00:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 00:14 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 00:41 -!- iml_ [~iml@c-24-60-231-68.hsd1.ct.comcast.net] has left #openvpn [] 00:49 -!- pekster [~rewt@openvpn/user/pekster] has quit [Quit: kernel upgrade] 00:49 -!- Otacon22 [~otacon22@isd-vpn.doshisha.ac.jp] has joined #openvpn 00:50 < Otacon22> Hi guys, I'm getting the "TLS Error: reading acknowledgement record from packet" error 00:50 < Otacon22> and I don't use tls-key on any client/server 00:51 < Otacon22> But actually I'm tunneling the openvpn connection inside a very slow udp connection 00:51 < Otacon22> if openvpn starts to send packets using an high rate, they may be dropped 01:05 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:09 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 256 seconds] 01:13 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has quit [Ping timeout: 264 seconds] 01:13 -!- |Mike| [mike@2001:0:53aa:64c:28ac:7181:2b66:b9f1] has joined #openvpn 01:14 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:14 -!- Qianyi [~Qianyi@180.155.14.35] has quit [Quit: Leaving] 01:24 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 01:28 -!- Minnebo_ [~Minnebo@office.exabyte.be] has joined #openvpn 01:31 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 01:39 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has quit [Quit: Leaving] 01:43 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 01:50 -!- Mcloven [~Mcloven@ppp203-122-218-215.static.internode.on.net] has joined #openvpn 01:54 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 248 seconds] 02:01 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:11 -!- dydzEz2__ [~dydzEz2@2601:d:4a80:72:5d05:b2a0:d5f9:d9ad] has quit [Quit: Leaving] 02:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:22 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 02:36 -!- dydzEz2 [~dydzEz2@2601:d:4a80:72:3cca:2357:4ff9:4c4f] has joined #openvpn 02:37 -!- AsadH is now known as zz_AsadH 02:54 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 02:55 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 248 seconds] 02:59 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn 03:01 -!- krzee [nobody@openvpn/community/support/krzee] has joined #openvpn 03:01 -!- mode/#openvpn [+o krzee] by ChanServ 03:05 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:07 -!- kobolduk [~kobolduk@office.prolocation.net] has joined #openvpn 03:15 -!- nutcase [~nutcase@unaffiliated/nutcase] has joined #openvpn 03:17 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 03:21 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 248 seconds] 03:24 -!- dydzEz2 [~dydzEz2@2601:d:4a80:72:3cca:2357:4ff9:4c4f] has quit [Quit: Leaving] 03:53 -!- Otacon22 [~otacon22@isd-vpn.doshisha.ac.jp] has quit [Ping timeout: 272 seconds] 04:10 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 04:10 -!- zz_AsadH is now known as AsadH 04:12 -!- defswork [~andy@141.0.50.105] has joined #openvpn 04:14 < AsadH> yo novaflash 04:14 < AsadH> novaflash novaflash 04:14 < AsadH> :( 04:15 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 04:26 -!- mXr [mxr@chello084112107202.24.11.vie.surfer.at] has joined #openvpn 04:26 < mXr> hello 04:26 < mXr> i have a strange issue with revocation of certificates, using openvpn 2.2.1 04:26 < mXr> anyone got an idea maybe... i have a certificate with a certain common name X 04:26 < mXr> it had the serial 08 04:27 < mXr> it got revoked, a long time later the person is supposed to get a new cert, so i created a new one with the same common name X, this gime it got serial number 1A 04:27 < mXr> afaik revocation checks should be based on serial 04:27 < mXr> but appearently, openvpn checks against CN? because i cannot connect due to it "being revoked" even tho it certainly is not 04:28 < mXr> is it supposed to work like that? 04:30 -!- dazo_afk is now known as dazo 04:31 -!- BtbN [~btbn@btbn.de] has quit [Ping timeout: 246 seconds] 04:35 -!- BtbN [~btbn@btbn.de] has joined #openvpn 04:37 -!- krzee [nobody@openvpn/community/support/krzee] has quit [Ping timeout: 248 seconds] 04:38 -!- mXr [mxr@chello084112107202.24.11.vie.surfer.at] has quit [Remote host closed the connection] 04:39 -!- Orbi [~opera@anon-185-41.vpn.ipredator.se] has joined #openvpn 04:45 -!- b1rkh0ff [~b1rkh0ff@178.77.23.88] has joined #openvpn 04:47 -!- lazerbeak [~lazerbeak@unafffiliated/lazerbeak] has joined #openvpn 04:48 < lazerbeak> hi I have setup openvpn and its connecting to my vpn, but windows is still using the old connection? 04:55 -!- Mava [~Mava@ip-45-201.dhcp.opintanner.fi] has joined #openvpn 04:56 < Mava> if there is somebody, who knows about stacked and chained. could you verify that: Stacked certificate is a collection of more than one certificates and In chain, every each certificate is depending on it's issuer. 04:56 < Mava> having again human error with this certificate stack and chain ideology =/ 05:24 <@dazo> Mava: https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains 05:24 <@vpnHelper> Title: Using_Certificate_Chains – OpenVPN Community (at community.openvpn.net) 05:33 < Mava> öer.. something that I remembered 05:33 < Mava> got to put that site to bookmarks etc. that I can really find it again more easily =) 05:50 -!- AsadH is now known as zz_AsadH 05:55 -!- Denial [Denial@cpc15-tonb3-2-0-cust76.16-3.cable.virginmedia.com] has joined #openvpn 06:09 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds] 06:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 06:13 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has quit [] 06:13 -!- Minnebo__ [~Minnebo@office.exabyte.be] has joined #openvpn 06:15 -!- Mava [~Mava@ip-45-201.dhcp.opintanner.fi] has left #openvpn [] 06:16 -!- Minnebo_ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 272 seconds] 06:18 -!- Minnebo__ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 252 seconds] 06:31 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out] 06:41 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn 06:46 -!- kobolduk [~kobolduk@office.prolocation.net] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]] 06:49 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has joined #openvpn 06:51 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has joined #openvpn 07:20 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 07:22 < Vorik> Hi! I've got an openvpn server on Centos6, Selinux permissive, installed with Puppet luxflux/puppet-openvpn module. I can ping the clients from the server and vice versa, but nothing (including server ip) from the LAN. I've added routes to the client and the default gateway of the LAN. ip_forward is enabled. What could be amiss? 07:24 < Vorik> Btw, it routed all my browser traffic via the LAN. 07:40 < Vorik> so, it generally works, (connections are routed over VPN) except I cannot access any hosts on the LAN itself. 07:48 -!- tyteen4a03 [T4@n218250228096.netvigator.com] has joined #openvpn 08:09 <@dazo> Vorik: check if you have enabled IP forwarding, then check your firewall ... and then your routing 08:09 <@dazo> Vorik: in 99.9999999% of all support cases, it's guaranteed to be one or more of those three points 08:09 < Vorik> dazo: I've enabled ip_forwarding on the openvpn server, firewall is disabled 08:10 <@dazo> Vorik: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting ... the scenario here should basically be what's needed 08:10 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 08:10 <@dazo> Vorik: and "firewall is disabled" .... yeah, that's what everyone says too ;-) 08:11 < Vorik> dazo: lol :) 08:11 < Vorik> I'll check that doc, thanks 08:11 <@dazo> Vorik: however, you can most likely (at least if you run openvpn in server mode) put SELinux into Enforcing .... I'm running OpenVPN on CentOS5 and ScientificLinux 6 boxes in enforcing mode .... without any issues 08:12 < Vorik> i'll make a pastie of all configs 08:12 < Vorik> :) 08:12 <@dazo> goodie :) 08:12 * dazo heads out for lunch before a meeting 08:16 < Vorik> dazo: I've put it on http://pastie.org/5822775 08:29 -!- zu [~zu@ks387228.kimsufi.com] has joined #openvpn 08:43 -!- gustavoz [~gustavoz@host110.190-225-90.telecom.net.ar] has quit [Quit: Leaving] 08:49 -!- zz_AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 252 seconds] 08:54 < MeanderingCode> Hey all. Is the Android client FLOSS? 08:54 -!- zu [~zu@ks387228.kimsufi.com] has quit [Remote host closed the connection] 08:56 -!- zu [~zu@ks387228.kimsufi.com] has joined #openvpn 08:57 -!- parmegv [U2FsdGVkX1@ma.sdf.org] has joined #openvpn 09:00 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 246 seconds] 09:08 -!- dioz [~dioz@2001:470:d:e3::1] has quit [Read error: Connection reset by peer] 09:12 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 09:14 -!- parmegv is now known as parmegv_ 09:14 -!- parmegv_ is now known as parmegv 09:14 -!- dioz [~dioz@2001:470:d:e3::1] has joined #openvpn 09:18 -!- Minnebo__ [~Minnebo@office.exabyte.be] has joined #openvpn 09:21 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has joined #openvpn 09:32 -!- Wintereise [Wintereise@113.11.122.227] has joined #openvpn 09:35 -!- Wintereise [Wintereise@113.11.122.227] has quit [Changing host] 09:35 -!- Wintereise [Wintereise@unaffiliated/wintereise] has joined #openvpn 09:38 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has joined #openvpn 09:42 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has quit [Quit: valparaiso] 10:03 -!- dazo is now known as dazo|afk 10:04 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 248 seconds] 10:07 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Connection reset by peer] 10:07 -!- d12fk [~heiko@exit0.net] has left #openvpn ["?RETURN WITHOUT GOSUB"] 10:13 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds] 10:15 < Martin`> I upgraded ubuntu to 12.04 so I was thinking 2.3.x will be in packages, but no luck with that :( 10:16 -!- Azrael808 [~peter@212.161.9.162] has joined #openvpn 10:16 < Martin`> hmm just released 10:16 < Martin`> :P 10:19 < Martin`> !goal 10:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:22 -!- master_of_master [~master_of@p57B5425D.dip.t-dialin.net] has quit [Ping timeout: 248 seconds] 10:24 -!- master_of_master [~master_of@p57B53EFA.dip.t-dialin.net] has joined #openvpn 10:25 -!- dazo|afk is now known as dazo 10:27 -!- raidz_away is now known as raidz 10:35 -!- Minnebo__ [~Minnebo@office.exabyte.be] has quit [Ping timeout: 252 seconds] 10:36 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has joined #openvpn 10:37 -!- raidz is now known as raidz_away 10:40 -!- raidz_away is now known as raidz 10:45 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 11:00 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 252 seconds] 11:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:13 -!- Azrael808 [~peter@212.161.9.162] has quit [Ping timeout: 245 seconds] 11:13 -!- BendIt [~ron@146-52-51-114-dynip.superkabel.de] has joined #openvpn 11:13 < BendIt> hey guys 11:15 < BendIt> just a short question to clarify that for me. openvpn supports ipv6 as of 2.3.0, so do i need an ipv4 address for each client also to get it working? 11:16 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 240 seconds] 11:17 <@dazo> BendIt: currently, yes, you do need an IPv4 pool as well ... the developer behind the IPv6 payload patches have it on his TODO list to fix this, but nothing ready yet 11:18 <@dazo> BendIt: but you don't have to route the IPv4 traffic if you don't need it ... just remove any "route" statements related to the IPv4 networking 11:18 < BendIt> ah ok. thanks. so its planed, that you wont need this anymore when its done? :) 11:18 <@dazo> (and you can even block that IPv4 in your firewall) 11:18 <@dazo> BendIt: it's done sometime in the future ... that's as accurate as I can be right now 11:19 < BendIt> yeah, no problem, i can wait and i know, its done when its done 11:20 < BendIt> is there a sample config file for client and server available? i couldnt find one which shows a usable configuration with ipv6? 11:21 <@dazo> BendIt: http://www.greenie.net/ipv6/openvpn.html ... in addition to the man page, of course (it should all be there too) 11:21 <@vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net) 11:21 <@dazo> (that's the docs from the patch contributor) 11:21 < BendIt> thank you so much dazu, ill have a look ;) 11:22 < BendIt> dazo, sry 11:22 <@dazo> no worries! 11:38 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Ping timeout: 244 seconds] 11:43 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 11:45 -!- BendIt [~ron@146-52-51-114-dynip.superkabel.de] has quit [Quit: Verlassend] 11:47 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has quit [Read error: Operation timed out] 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has joined #openvpn 11:49 -!- ade_b [~Ade@kista.guest.accome.com] has quit [Changing host] 11:49 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 11:50 -!- videl [~pi@fac34-3-82-231-26-27.fbx.proxad.net] has joined #openvpn 11:57 -!- zz_AsadH [~AsadH@irc.unixio.com] has joined #openvpn 11:57 -!- zz_AsadH is now known as AsadH 11:57 -!- AsadH [~AsadH@irc.unixio.com] has quit [Changing host] 11:57 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn 12:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 12:03 -!- mode/#openvpn [+v s7r] by ChanServ 12:16 -!- oconnore [~eric@38.111.17.138] has joined #openvpn 12:17 < oconnore> hi, I have an openvpn install and I am trying to add a new user. The user has a crt that has been signed with the same CA that the server crt was signed with, but I am getting "self signed certificate" error. It's not a self signed certificate! What could be going wrong? 12:19 < oconnore> I have checked the fingerprints of the ca.crt files on both server and client, and they match 12:19 < oconnore> I have checked that the server crt verifies with that CA. I have checked that the client crt verifies with that CA. 12:19 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has joined #openvpn 12:20 -!- MeanderingCode [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Ping timeout: 276 seconds] 12:23 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 12:30 <@dazo> oconnore: double check your certificates ... with openssl and grep you can do this: openssl x509 -noout -text -in | egrep "Issuer:|Subject:" 12:31 <@dazo> if you do this on the client cert .... you should see two lines, Issuer: and Subject: ... and they should be different 12:32 <@dazo> If the contents of these two lines are basically identical, then you've done something wrong 12:32 <@dazo> (openvpn doesn't complain about self-signed certificates without a reason) 12:36 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 12:37 < jackbrown> If I use a main proxy into my configuration then i connect to a VPN, the VPN what will see? My proxy IP or my Machine IP ? 12:48 -!- MeanderingCode_ [~Meanderin@71-213-175-129.albq.qwest.net] has quit [Read error: Connection reset by peer] 13:03 <@dazo> jackbrown: if your VPN client connects via a proxy, the VPN server will see the IP of your proxy 13:03 < jackbrown> ok 13:19 -!- kyrix [~ashley@85-126-76-82.work.xdsl-line.inode.at] has quit [Quit: Ex-Chat] 13:21 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 13:28 < oconnore> dazo: thanks, my colleague's vpn client made a private copy of the configuration directory, so the certs that I was checking were not being loaded. 13:29 -!- dazo is now known as dazo_afk 13:36 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has quit [Read error: Operation timed out] 13:36 -!- dxtr [~dxtr@unaffiliated/dxtr] has quit [Ping timeout: 276 seconds] 13:37 -!- mdw [~mdw@81.171.97.233] has joined #openvpn 13:38 -!- oconnore [~eric@38.111.17.138] has left #openvpn [] 13:45 -!- Wintereise [Wintereise@unaffiliated/wintereise] has quit [] 13:45 -!- Wintereise [~reise@unaffiliated/wintereise] has joined #openvpn 13:46 -!- mdw [~mdw@81.171.97.233] has quit [Ping timeout: 276 seconds] 13:50 -!- mdw [~mdw@cpc8-dals18-2-0-cust303.hari.cable.virginmedia.com] has joined #openvpn 14:17 -!- else- [~else@towely.iodev.org] has quit [Read error: Connection reset by peer] 14:22 -!- hilo [~helo@38.98.103.201] has joined #openvpn 14:22 < hilo> hello! 14:23 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has quit [Remote host closed the connection] 14:29 -!- Thermi [~Thermi@HSI-KBW-078-043-018-016.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn 14:30 -!- Orbi [~opera@anon-185-41.vpn.ipredator.se] has left #openvpn [] 14:30 < hilo> Is anyone in here? I am trying to make use of the config lines "user nobody" and "group nogroup" to secure the process, but when I check the current processes, the process is still owned by "root" 14:33 -!- Minnebo__ [~Minnebo@78-23-254-38.access.telenet.be] has joined #openvpn 14:39 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds] 14:50 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has joined #openvpn 14:51 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has joined #openvpn 14:51 -!- ade_b [~Ade@h31-3-227-203.host.redstation.co.uk] has quit [Changing host] 14:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 15:01 < EugeneKay> The process is started as root but drops privilegs to those users 15:02 < EugeneKay> !unpriv 15:02 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions. 15:02 < EugeneKay> There's a method to start it as an unprivileged user from the get-go, using sudo to perform the stuff that has to be run as root(ip addr, etc) 15:02 -!- b1rkh0ff [~b1rkh0ff@178.77.23.88] has quit [Quit: Leaving] 15:12 -!- brute11k [~brute11k@89.249.230.101] has quit [Quit: Leaving.] 15:14 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds] 15:45 -!- pekster [~rewt@openvpn/user/pekster] has joined #openvpn 15:45 -!- mode/#openvpn [+v pekster] by ChanServ 15:51 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 15:51 -!- Minnebo__ [~Minnebo@78-23-254-38.access.telenet.be] has quit [Ping timeout: 246 seconds] 15:51 -!- Valcorb [~Valcorb@94-226-106-113.access.telenet.be] has quit [Read error: Connection reset by peer] 15:53 -!- Valcorb [~Valcorb@199.229.249.189] has joined #openvpn 16:01 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has joined #openvpn 16:02 -!- mikkel [~mikkel@80-71-132-15.u.parknet.dk] has quit [Quit: Leaving] 16:02 -!- Valcorb [~Valcorb@199.229.249.189] has quit [] 16:15 -!- lazerbeak [~lazerbeak@unafffiliated/lazerbeak] has quit [Quit: Leaving] 16:19 < Martin`> hmm, nice compiled openvpn, removed package, changed openvpn init.d and all services are up and running again :D 16:19 * Martin` is happy 16:19 < Martin`> :P 16:19 < Martin`> now I need to find out how ipv6 works :) 16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:26 < hilo> EugeneKay, so the process shows as root even after dropping privs? 16:26 -!- MeanderingCode [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 16:27 < hilo> EugeneKay, is there a way to test that the privs have actually been dropped? and is there any info you can share for running unpriv with sudo? 16:29 < EugeneKay> hilo - the logs should say that the privs were dropped 16:29 < Martin`> only topology subnet supported? :S 16:29 < EugeneKay> hilo - all the info I have is in the link given :-p 16:29 < EugeneKay> Martin` - anything else is a sure path to insanity 16:29 <+pekster> hilo: Shows where running as root? If I drop privs via '--user' it shows the right UID in top/htop for the process 16:30 < Martin`> EugeneKay: how do you mean? 16:30 < EugeneKay> /30 sucks 16:30 < Martin`> I use a /64 16:30 < EugeneKay> Oh, v6 on 2.3. Haven't played with that. 16:31 < Martin`> server-ipv6 2001:16f8:6:1201::/64 16:31 < Martin`> I guess that is right? or not? 16:31 < EugeneKay> Using anything other than a subnet in v6 is stupid :-p 16:31 < EugeneKay> Looks right 16:31 <+pekster> EugeneKay: PtP is still a valid configuration in IPv6 16:31 < EugeneKay> It's still a stupid one 16:32 -!- cjs226 [~cjs226@99-42-101-89.lightspeed.austtx.sbcglobal.net] has quit [] 16:32 <+pekster> If you only need to link 2 servers (eg: routers functioning as a corporate WAN link) then PtP is a much simplier solution 16:32 <+pekster> It's not for the "traditional" multi-client -> one server usecase, but OpenVPN isn't a one-size-fits-all program :P 16:33 < EugeneKay> /64s are cheap. Use a whole one for your 1-client link. 16:34 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has quit [Read error: Connection reset by peer] 16:34 -!- Porkepix [~Porkepix@ppp-seco11pa2-46-193-129.224.wb.wifirst.net] has joined #openvpn 16:34 <+pekster> Or create this many PtP links in that same IP space: 9.223372036854776e+18 ;) 16:35 < EugeneKay> I forget the RFC#, but I'm fairly sure you're not supposed to break up a network(even if it's two boxen) smaller than a /64 16:35 < EugeneKay> That's the whole point of v6 - one subnet size 16:35 < EugeneKay> And lots of em! 16:38 < Martin`> topology subnet fixed the problem 16:38 < Martin`> and it is working :D 16:38 <+pekster> net30 was s solution before subnet was available for tun to fake Windows tun links 16:38 <+pekster> It's not necessary since 2.2 16:39 < hilo> pekster, EugeneKay, it shows as root in top/htop but the logs show that it dropped privs after startup 16:39 <+pekster> Or 2.1? "a while ago" anyway 16:39 < Martin`> but standard is net30? 16:39 <+pekster> Martin`: It's the default for backwards-compat purposes 16:39 < Martin`> ok 16:39 <+pekster> If you had a 2.0.9 client, for example, it wouldn't support subnet 16:39 <+pekster> solution: don't run anchient clients ;) 16:39 <+pekster> ancient* 16:39 < Martin`> hmm it uses the internal ipv6 adres instead the one via tunnel :( 16:40 -!- jackbrown [~se@93-44-76-167.ip96.fastwebnet.it] has quit [Quit: Sto andando via] 16:40 <+pekster> Then fix the app sending data through the tunnel to bind/source from the proper IP 16:40 <+pekster> That needs to happen on any multi-homed PC 16:41 * Martin` turns off wifi on his iphone 16:41 <+pekster> hilo: What distro? 16:41 < Martin`> yes it works now :P 16:42 < hilo> pekster, Ubuntu 12.04 server 64-bit 16:42 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn [] 16:42 * Martin` is happy finaly openvpn is availble for the iphone :) 16:43 <+pekster> hilo: No clue then. htop shows the 'openvpn' user when I use --user openvpn --group openvpn in my config file (or via CLI) both through my distro's initscript and when I do openvpn --config file.conf on the command-line 16:44 <+pekster> Are you sure it's the right ovpn process if you have more than one? 16:44 < hilo> pekster, there is only one 16:45 < hilo> pekster, I have to run... I'll be back in an hour (commuting home) 16:46 -!- hilo [~helo@38.98.103.201] has quit [Quit: Leaving] 16:57 -!- sjuxax [~jeff@unaffiliated/sjuxax] has joined #openvpn 16:58 -!- jthunder [~jthunder@184.151.222.11] has joined #openvpn 16:59 -!- JackWinter [~jack@vodsl-4655.vo.lu] has quit [Quit: ZNC - http://znc.in] 17:01 -!- JackWinter [~jack@vodsl-4655.vo.lu] has joined #openvpn 17:01 < sjuxax> Hello. I have a VPN connection that seems to be working well, but I am unable to resolve a route to the VPN server's external IP address while connected. The internal IP address works fine. For instance, I can connect to an address like 10.10.10.1, the VPN server, but I can't connect to 67.45.25.xxx, the public IP of the same server. Here is my local routing table: http://dpaste.com/888218/ 17:07 <+pekster> sjuxax: That can't be true, because your kernel is consulting the routing table for every encrypted packet it sends to your VPN peer 17:07 <+pekster> If it were true, your VPN would stop working as soon as you connected with a 'redirect-gateway' style setup like you have 17:08 < sjuxax> pekster: yeah, it seems only to happen on port 25 17:08 < sjuxax> i forgot to include that part :]. Will paste in one sec. 17:09 <+pekster> Okay, then it's not a problem looking up the route. Sounds like a firewall, and it's common for ISPs to do blocking on tcp/25 due to SMTP abuse potential. It's less common to block something bound *for* tcp/25, but some ISPs require you to use their SMTP servers if you do 17:10 <+hazardous> in the US or out? 17:10 <+hazardous> from what I can tell several US ISPs block outbound 25 17:10 <+hazardous> and require you to use their smarthost to pass mail out 17:10 <+hazardous> actually a lot* 17:10 <+hazardous> seems to be less common outside the states though 17:10 < sjuxax> http://dpaste.com/888222/ 17:11 <+pekster> You have a firewall problem. OpenVPN can't really help you with that 17:11 < sjuxax> Shouldn't the ISP not even know what port I'm connecting on, since the connection is going on the VPN? 17:11 <+pekster> No, becuase that traffic isn't sent across the VPN 17:11 <+pekster> You need a route to send the encrypted packets to the host that's not over the VPN 17:11 <+pekster> ie: you can't send encrypted VPN packets across the VPN. Where would that packet go? Over the VPN? And where would that one go... 17:12 < sjuxax> Ah, traffic to the outside IP is being sent over the plaintext because the routing table says to do that so the VPN can eat the other packets. Correct? 17:12 <+pekster> Right 17:12 < sjuxax> Hmm, so is there an easy way to say "do that for everything except port VPN PORT?" 17:12 <+pekster> Don't communicate wtih that host, or write creative policy routing rules to send anything that's not the ovpn traffic (based on IP/port tupple) across the VPn anyway 17:12 <+pekster> sjuxax: That depends on what you mean by "easy" 17:13 <+pekster> It's not too hard if you're familiar with policy routing 17:13 <+pekster> If you're not, start here (for Linux) http://lartc.org/howto/ 17:13 <@vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 17:13 <+pekster> You'll then need to manage that part of the rotuing table adjustement yourself instead of letting openvpn do it 17:14 < sjuxax> OK. I will probably just put the vpn on a separate host. Thanks for all the help guys :) 17:14 <+pekster> Chapter 4 of that howto is where the policy routing stuff is explained, but you'd better start at the beginning if you're new to advanced iproute2 functionality 17:28 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 17:37 -!- cjs226 [~cjs226@99-61-64-43.lightspeed.austtx.sbcglobal.net] has joined #openvpn 17:47 -!- NChief [tomme@unaffiliated/nchief] has quit [Ping timeout: 255 seconds] 17:48 -!- NChief [tomme@unaffiliated/nchief] has joined #openvpn 17:50 -!- ch1mkey [ch1m@ns203993.ovh.net] has joined #openvpn 18:01 -!- jthunder [~jthunder@184.151.222.11] has quit [Ping timeout: 248 seconds] 18:05 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds] 18:09 -!- master_of_master [~master_of@p57B53EFA.dip.t-dialin.net] has quit [Ping timeout: 255 seconds] 18:10 -!- master_of_master [~master_of@p57B53EFA.dip.t-dialin.net] has joined #openvpn 18:25 -!- sjuxax [~jeff@unaffiliated/sjuxax] has quit [Ping timeout: 255 seconds] 18:26 -!- sjuxax [~jeff@unaffiliated/sjuxax] has joined #openvpn 18:28 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has joined #openvpn 18:31 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 18:41 -!- sjuxax [~jeff@unaffiliated/sjuxax] has quit [Quit: Leaving.] 18:43 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has joined #openvpn 18:43 -!- C-S-B_ [~csb@host81-157-117-86.range81-157.btcentralplus.com] has quit [Remote host closed the connection] 18:49 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 18:57 -!- jthunder [~jthunder@174.3.126.51] has joined #openvpn 19:13 -!- Vorik [~quassel@D97950AD.cm-3-2b.dynamic.ziggo.nl] has quit [Ping timeout: 248 seconds] 19:37 -!- wh1p [~wh1pl4sh@host-2-100-148-6.as13285.net] has joined #openvpn 19:49 -!- raidz is now known as raidz_away 19:54 -!- jthunder [~jthunder@174.3.126.51] has quit [Quit: jthunder] 19:59 -!- p3rror [~mezgani@2001:0:53aa:64c:383b:48a0:d673:605d] has joined #openvpn 20:20 -!- p3rror [~mezgani@2001:0:53aa:64c:383b:48a0:d673:605d] has quit [Ping timeout: 245 seconds] 20:24 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has joined #openvpn 20:25 < xbskid> I have a site-to-site VPN set up; I can connect fine, but I think I'm missing either some routing or firewall rules. I can ping and traceroute successfully from the client network to the server-side network, but not the other way around. 20:26 < xbskid> Performing a traceroute from the server-side network reaches the server, but goes no further. 20:26 < xbskid> Could I need an iptables route to forward traffic to the tunnel? 20:37 -!- brute11k [~brute11k@89.249.230.101] has joined #openvpn 20:42 -!- emmanuelux [~emmanuelu@vau92-2-82-228-217-1.fbx.proxad.net] has quit [Remote host closed the connection] 20:44 <+pekster> xbskid: Sounds like a firewall issue since getting an ICMP ping back means your return routing is working, as is the firewall for the reply 20:46 <+pekster> xbskid: Try a tcpdump/wireshark trace each step of the way, making sure to follow the path across each interface on your VPN peers 20:48 < xbskid> I would, but I neither have those tools nor how to use them, not to mention I'm using Tomato routers as endpoints; I imagine it would be a pain in the ass to install them. 20:48 <+pekster> You can do a poor-man's tcpdump with targetless iptables rules 20:49 < xbskid> I'll try that. 21:25 -!- hilo [~saori@cpe-68-173-145-155.nyc.res.rr.com] has joined #openvpn 21:53 -!- hilo [~saori@cpe-68-173-145-155.nyc.res.rr.com] has quit [Quit: Leaving] 21:57 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has joined #openvpn 21:58 < pyro254750> having trouble getting internet access when connected to openvpn, any obvious problems that normally cause this? 22:10 <+pekster> pyro254750: Plenty, most of which boil down to a misconfiguration of the openvpn config or your routing/firewall setup 22:10 <+pekster> Perhaps this is of use: 22:10 <+pekster> !rediret 22:10 <+pekster> !redirect 22:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 22:10 <@vpnHelper> http://ircpimps.org/redirect.png 22:12 < pyro254750> how would I check to verify that the routing is setup correctly. I followed the standard linode setup guide, im able to connect remotely but no internet access on client pc 22:12 <+pekster> You'd follow the steps in the flowchart you were just linked 22:13 < pyro254750> sorry, was having trouble getting it open, I see that now 22:14 < pyro254750> I assume that these steps are followed while connected to the vpn? 22:20 <+pekster> Yea, besides the basic configuration items 22:22 < pyro254750> for all the items on the flowchart like "is redirect-gateway enabled" is there a command I can run to tell me if its operating, or is it simply asking if its enabled in conf files 22:24 <+pekster> It should be obvious if you increase the verbosity to 'verb 4' and check the log output what the server is or is not pushing 22:24 <+pekster> Try the manpage and read about that option if you're unclear on what it does 22:24 <+pekster> Also: 22:24 <+pekster> !provider 22:24 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 22:25 <+pekster> It's impossible to know if your provider has properly enabled ip forwarding and NAT where required, for instance 22:30 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has quit [Quit: Leaving] 22:30 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has joined #openvpn 22:34 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has joined #openvpn 22:43 -!- MeanderingCode_ [~Meanderin@71-213-188-66.albq.qwest.net] has quit [Read error: Connection reset by peer] 22:51 -!- pyro254750 [~jmiller@c-24-99-228-251.hsd1.ga.comcast.net] has quit [Quit: Leaving] 23:01 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has quit [Read error: Connection reset by peer] 23:02 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has joined #openvpn 23:03 -!- xbskid [~asdf@cpe-67-244-148-156.rochester.res.rr.com] has quit [Client Quit] 23:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn 23:38 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has joined #openvpn 23:39 < DrCode> hi all --- Day changed Wed Jan 23 2013 00:19 -!- Cpt-Oblivious [Cpt-Oblivi@a202101.upc-a.chello.nl] has quit [Ping timeout: 245 seconds] 00:56 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 252 seconds] 01:12 -!- valparaiso [~valparais@ARennes-257-1-48-169.w81-53.abo.wanadoo.fr] has left #openvpn [] 01:19 -!- bmanatwork [~work@cpe-70-112-107-27.austin.res.rr.com] has joined #openvpn 01:48 < bmanatwork> anyone help me with some iptables rules, i want 10.10.10.0(tun) to access anything, atm i have it able to access the internal networking and external ip of the server by pushing the routes manually 01:56 <+pekster> bmanatwork: Your question lacks enough information to suggest anything. Is this device generating its own traffic or forwarding routed traffic? What is the context of the traffic flowing across the interface? And network context. Etc. 01:56 <+pekster> You're not going to get good answers if you don't ask good questions 01:56 < bmanatwork> yeah im working on pastebining my stuff 01:57 < bmanatwork> im just slow, very sorry 02:00 < bmanatwork> http://a8.lc/bin/6ib29 02:00 <@vpnHelper> Title: Administr8 Pastebin! » 6ib29 (at a8.lc) 02:00 < bmanatwork> pekster: there is my openvpn and iptables config 02:00 < bmanatwork> sorry i was slow about it 02:01 < bmanatwork> i am wanting a client connecting to this openvpn server to be able to access that server as well as other hosts on the network its connected to (internet) 02:02 < bmanatwork> so there is a secure connection to this server for internal docs, but they can still browse the internet as normal 02:02 < bmanatwork> is that a good explanation pekster 02:02 < bmanatwork> ive been trying for weeks, but im not getting what i want 02:03 < bmanatwork> got closer tonight by adding a dns server, i can resolve ip's but still cant route 02:04 < bmanatwork> when i traceroute i get to the openvpn server 10.10.10.1 but it doesnt get to the next hopp 02:04 < bmanatwork> so i think its in my iptables rules but i dont know why 02:05 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn 02:05 < bmanatwork> from my iptables output it looks like i am accepting all from 10.10.10.0 to anywhere 02:06 < bmanatwork> did you think you could help? 02:09 <+pekster> bmanatwork: You want 2 things then; pick one at a time to get working. We have some info from our bot, including handy flowcharts for each: 02:09 <+pekster> !serverlan 02:09 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png 02:09 <+pekster> Then, for the redirection: 02:09 <+pekster> !redirect 02:09 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 02:09 <@vpnHelper> http://ircpimps.org/redirect.png 02:10 < bmanatwork> i have grep ipv4.ip_forward /etc/sysctl.conf 02:10 < bmanatwork> net.ipv4.ip_forward=1 02:10 < bmanatwork> so thst covers 1? 02:11 <+pekster> Yup 02:11 < bmanatwork> i have a local dns server 02:12 < bmanatwork> and def1 in my config push "redirect-gateway def1" 02:12 -!- ade_b [~Ade@109.58.202.10.bredband.tre.se] has joined #openvpn 02:12 -!- ade_b [~Ade@109.58.202.10.bredband.tre.se] has quit [Changing host] 02:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 02:12 < bmanatwork> so am i missing somethign still 02:12 < bmanatwork> im sorry im not familiar with this, i have had this working for a while for secure connections 02:12 < bmanatwork> but my boss wants to browse the internet too 02:13 < bmanatwork> !def1 02:13 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 02:14 -!- bauruine [~stefan@91.236.116.112] has quit [Ping timeout: 248 seconds] 02:19 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has joined #openvpn 02:20 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has quit [Read error: Connection reset by peer] 02:20 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has joined #openvpn 02:24 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has quit [Ping timeout: 246 seconds] 02:31 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has joined #openvpn 02:39 -!- holmen [~holmen@h-30-250.a176.priv.bahnhof.se] has joined #openvpn 02:42 -!- Minnebo [~Minnebo@mail.mms-secure.eu] has quit [Ping timeout: 248 seconds] 02:42 -!- mementomori [~mementomo@unaffiliated/mementomori] has joined #openvpn 02:42 < mementomori> hi 02:43 < mementomori> I'm using openvpn 2.3.0 on windows xp and it seems like the 'route-up' script is not called 02:44 < EugeneKay> !windows 02:44 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny 02:45 < mementomori> EugeneKay, the links are both 404 02:45 < mementomori> :) 02:45 < EugeneKay> Yeah, ecrist's fault. 02:46 < EugeneKay> !pastebin your configs ? 02:46 < EugeneKay> !pastebin 02:46 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use 02:46 < EugeneKay> Damn bot. 02:46 < mementomori> EugeneKay, sure, gimme a second 02:46 < EugeneKay> The windows box, really. 02:48 < mementomori> pastebin.com/encUnnJS 02:49 < EugeneKay> I suspect it's something with the \\ escaping myself 02:49 < EugeneKay> It's always escapign 02:50 < EugeneKay> Try invoking with relative paths and the --cd directive on the command line 02:50 < mementomori> EugeneKay, but log doesn't put any warning about route-up line 02:50 < mementomori> EugeneKay, I'll try with single \ 02:51 < mementomori> EugeneKay, ok. trying --cd 02:53 -!- bmanatwork [~work@cpe-70-112-107-27.austin.res.rr.com] has left #openvpn ["Leaving"] 02:54 -!- amir [~amir@unaffiliated/amir] has quit [Ping timeout: 248 seconds] 03:02 < mementomori> mmmm --cd, single \ and using / instead of \\ haven's solved the problem 03:04 < mementomori> I tried route-up c:/Programmi/OpenVPN/config/infotel-ts/route-upXXX.bat and it complains the file doesn't exist 03:04 <+pekster> mementomori: So --cd "C:\Some\where" --route-up "C:/Some/where/script.bat" ? 03:04 < mementomori> pekster, yes 03:04 < mementomori> so I think the problem is in the .bat 03:04 -!- AsadH is now known as zz_AsadH 03:05 <+pekster> Quoted or not? I'm curious as I didn't get a sample route-up script to work in either 2.2.2 or 2.3.0-x64 bit. Interesitngly enough, the 'verb 4' is ignored in 2.3.0 as well 03:05 <+pekster> Downgrading to 2.2.2 and the exact same config verb 4 works fine 03:05 <+pekster> :\ 03:05 -!- Orbi [~opera@109.129.12.35] has joined #openvpn 03:06 < mementomori> pekster, it was working with and older release 03:06 < mementomori> pekster, but I dont remember which version it actually was 03:07 <+pekster> k. So now you're using --route-up with or without outside-quotes? 03:07 < mementomori> www.pastebin.com/X4E6AAUZ 03:07 < mementomori> pekster, now without quotes 03:08 <+pekster> Interesting. I should gander at the code since I've seen some quoting issues due to Windows pathnames in the past too 03:08 <+pekster> Windows is such a PITA ;) 03:08 -!- bauruine [~stefan@91.236.116.112] has joined #openvpn 03:08 < mementomori> pekster, but it cannot be a quoting problem becouse it is able to detect missing files. 03:09 <+pekster> They shouldn't have been missing though, right? openvpn is "supposed" to support Windows-style paths as parameters too 03:09 <+pekster> You usually have to escape spac